Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe

  • Size

    738KB

  • MD5

    7d6d01b7c3df47a2a39be56193817755

  • SHA1

    7e9ca287926b479f1f8eae2e3868dbad49536e51

  • SHA256

    fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a

  • SHA512

    ec806cf71621ae75927e4199a8be3c366adf311a5d65071101c73881c6a1d990fc72a021fbdb30e9a7984d503245ee29166591fc17c49372cb9c3d12d085e2d0

  • SSDEEP

    12288:ZMrYy90L8oZeYoRGMwo3D8gvLrYw2Api257LxV8GUBD1jeIOQ4NYjRu+R:pya8ouE03pvLrYVq/eGID16I10+R

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe
    "C:\Users\Admin\AppData\Local\Temp\fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:100
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1328
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 152
              6⤵
              • Program crash
              PID:1272
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:560
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 100 -ip 100
    1⤵
      PID:5084

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exe
      Filesize

      531KB

      MD5

      e38542dbc634e1c9cc932901142166c8

      SHA1

      924db07c74addd4d3efac85491f29b66545d0e43

      SHA256

      2a7d4cf9010bee1a75e7378ab03365bc5a1550f4bb8a5a11ef767c423e6f373b

      SHA512

      d7dc5e291d6fb25cee9b63dca3c42d27425afc35d8062404a9ce06793c31d89efd83e63a0948f73cd73fad3fba7603bbbb06601e5feb501d90bc11830e33ff52

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exe
      Filesize

      531KB

      MD5

      e38542dbc634e1c9cc932901142166c8

      SHA1

      924db07c74addd4d3efac85491f29b66545d0e43

      SHA256

      2a7d4cf9010bee1a75e7378ab03365bc5a1550f4bb8a5a11ef767c423e6f373b

      SHA512

      d7dc5e291d6fb25cee9b63dca3c42d27425afc35d8062404a9ce06793c31d89efd83e63a0948f73cd73fad3fba7603bbbb06601e5feb501d90bc11830e33ff52

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exe
      Filesize

      359KB

      MD5

      013fd9ff7f426d4d7e4edff0aa363669

      SHA1

      7f53a5a5462748cdcbfaf8a7a8a064444d6969b1

      SHA256

      ab0857d7e28d001e47b9960ef249b084873ad2add5f71bff19a94ce990fe77af

      SHA512

      38706aa58f232f60bfd5ba9c9fef2a6ba4933464d403a0e28d448bd03a5965185b6094799823375fed533f310a41f11b5de1375254c221a7e465790a1e4865e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exe
      Filesize

      359KB

      MD5

      013fd9ff7f426d4d7e4edff0aa363669

      SHA1

      7f53a5a5462748cdcbfaf8a7a8a064444d6969b1

      SHA256

      ab0857d7e28d001e47b9960ef249b084873ad2add5f71bff19a94ce990fe77af

      SHA512

      38706aa58f232f60bfd5ba9c9fef2a6ba4933464d403a0e28d448bd03a5965185b6094799823375fed533f310a41f11b5de1375254c221a7e465790a1e4865e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exe
      Filesize

      172KB

      MD5

      ebdf0f9c5cb81a62ce9c7347ba1fc812

      SHA1

      5b84fc80114b912057b45a50134cc23e983238db

      SHA256

      f05bea1fdd45456e5140492a2cc1855d8ef8b4bcc0105f1b80baa60f8c73e9e9

      SHA512

      aed76b52509676eac8b2d99d9054ab8febd510af08472b0fca4f93bf408b955ba2b155f21a6742b533d35a43732227046f36f79b0c7503055f4b56ebea356453

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exe
      Filesize

      172KB

      MD5

      ebdf0f9c5cb81a62ce9c7347ba1fc812

      SHA1

      5b84fc80114b912057b45a50134cc23e983238db

      SHA256

      f05bea1fdd45456e5140492a2cc1855d8ef8b4bcc0105f1b80baa60f8c73e9e9

      SHA512

      aed76b52509676eac8b2d99d9054ab8febd510af08472b0fca4f93bf408b955ba2b155f21a6742b533d35a43732227046f36f79b0c7503055f4b56ebea356453

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exe
      Filesize

      204KB

      MD5

      12c77008c7e8d7bd9cca8f1205258da3

      SHA1

      75bf95fb3df76edeec28d421f034cfce60b42dee

      SHA256

      09d20c3d61899b2d4bf62acfdb0ad4a4e0236cc928c8903a8ad35b35b87543e5

      SHA512

      e5048c3ceddfac254a7359951291f4c4d5074edfc79be03daa7c73c06dadd78b52c09a846f61236fc8716cb762f16b45f768f252f3dc293d2c55b0938725d0de

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exe
      Filesize

      204KB

      MD5

      12c77008c7e8d7bd9cca8f1205258da3

      SHA1

      75bf95fb3df76edeec28d421f034cfce60b42dee

      SHA256

      09d20c3d61899b2d4bf62acfdb0ad4a4e0236cc928c8903a8ad35b35b87543e5

      SHA512

      e5048c3ceddfac254a7359951291f4c4d5074edfc79be03daa7c73c06dadd78b52c09a846f61236fc8716cb762f16b45f768f252f3dc293d2c55b0938725d0de

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exe
      Filesize

      13KB

      MD5

      cf639a22ff6a665c3a8adc3c9a2a2818

      SHA1

      fd4c929c1e1e21d805a3a773072481fbf065f8c8

      SHA256

      ac85bb2291afe96a0f8aedc7a6898481da3af0ab083d3877d6b0c2c22209339f

      SHA512

      0896751b8efd55b27cf83d0ed0796528e5bd4e1e4f25e25a48cd724ad391289f360ceb86b0706b0da67aeb0f20b40b747b714ef5ac7af79c642d39e155bd77e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exe
      Filesize

      13KB

      MD5

      cf639a22ff6a665c3a8adc3c9a2a2818

      SHA1

      fd4c929c1e1e21d805a3a773072481fbf065f8c8

      SHA256

      ac85bb2291afe96a0f8aedc7a6898481da3af0ab083d3877d6b0c2c22209339f

      SHA512

      0896751b8efd55b27cf83d0ed0796528e5bd4e1e4f25e25a48cd724ad391289f360ceb86b0706b0da67aeb0f20b40b747b714ef5ac7af79c642d39e155bd77e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exe
      Filesize

      120KB

      MD5

      5a9682af2a44eb7b2fe84b5804e3d1cd

      SHA1

      d6d15f9193baff6148ea83e7580f4f84e35902ae

      SHA256

      35c918845b44d2cf746b5cd94a115fd4848dc811cd596c8ac03d06ce40947854

      SHA512

      436978dc35a29864d8d2a7a02d12af69e37054855ccf017585121ad3e2c64fef71946213397f0eefc294c12e1b849b31f772cad5fbe9612c0b0413d344947057

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exe
      Filesize

      120KB

      MD5

      5a9682af2a44eb7b2fe84b5804e3d1cd

      SHA1

      d6d15f9193baff6148ea83e7580f4f84e35902ae

      SHA256

      35c918845b44d2cf746b5cd94a115fd4848dc811cd596c8ac03d06ce40947854

      SHA512

      436978dc35a29864d8d2a7a02d12af69e37054855ccf017585121ad3e2c64fef71946213397f0eefc294c12e1b849b31f772cad5fbe9612c0b0413d344947057

      Download Submit
    • memory/560-175-0x0000000000410000-0x0000000000440000-memory.dmp
      Filesize

      192KB

      Download
    • memory/560-180-0x0000000004D70000-0x0000000004D80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/560-189-0x000000000C210000-0x000000000C73C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/560-176-0x000000000A720000-0x000000000AD38000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/560-177-0x000000000A250000-0x000000000A35A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/560-178-0x000000000A190000-0x000000000A1A2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/560-179-0x000000000A1F0000-0x000000000A22C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/560-188-0x000000000BB10000-0x000000000BCD2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/560-181-0x000000000A500000-0x000000000A576000-memory.dmp
      Filesize

      472KB

      Download
    • memory/560-182-0x000000000AD40000-0x000000000ADD2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/560-183-0x000000000B390000-0x000000000B934000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/560-184-0x000000000ADE0000-0x000000000AE46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/560-186-0x000000000B210000-0x000000000B260000-memory.dmp
      Filesize

      320KB

      Download
    • memory/560-187-0x0000000004D70000-0x0000000004D80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1328-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2904-161-0x00000000001B0000-0x00000000001BA000-memory.dmp
      Filesize

      40KB

      Download