Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    926aa0310c53110ceccb9125a1bfdeb6fc1e913dc357f1c5160be091c2a72db3.exe

  • Size

    738KB

  • MD5

    4bef477b8b24b843ea1d609ca23e2d4c

  • SHA1

    8c75026123b8b68fbe1cf7c38c90dbe104f629c0

  • SHA256

    926aa0310c53110ceccb9125a1bfdeb6fc1e913dc357f1c5160be091c2a72db3

  • SHA512

    17dc7371396f6598be756f493794e500812940db79e851f9da9779fd5da6134e83cdf8b5e00f874f5cbc9bb9d41542a6341de8ccca075705b43b16794b39b699

  • SSDEEP

    12288:aMrGy90JtPGsjKsdMs1dvT/fJ9rHMvApRiwW6NNlT0eOfscTYggZc0qS:oyujKAjvT/fJ5mkRiwWyT0eOfscTYggT

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\926aa0310c53110ceccb9125a1bfdeb6fc1e913dc357f1c5160be091c2a72db3.exe
    "C:\Users\Admin\AppData\Local\Temp\926aa0310c53110ceccb9125a1bfdeb6fc1e913dc357f1c5160be091c2a72db3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4574660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4574660.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9990723.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9990723.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3540285.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3540285.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7466593.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7466593.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:756
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5502827.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5502827.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4456
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 148
              6⤵
              • Program crash
              PID:2240
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9514468.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9514468.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3044
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3828 -ip 3828
    1⤵
      PID:616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4574660.exe
      Filesize

      531KB

      MD5

      26a895e596c92d2364e00e9f64a9876c

      SHA1

      92fb5a4470e1b164141c20e336b80e1762cd3e05

      SHA256

      822ff178db44abb33f6b50d58d4b17562ec5f0cd1d82e165a9c60232d0cc40a0

      SHA512

      1485771d6689b4ff7de57f20fd7feacc3a956763463709ecd72b0de73bc8229a8d76a9c22b4bb7f7ef62ca4387b204203adb2d0fc725fa8acbe5b8c97ee05c95

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4574660.exe
      Filesize

      531KB

      MD5

      26a895e596c92d2364e00e9f64a9876c

      SHA1

      92fb5a4470e1b164141c20e336b80e1762cd3e05

      SHA256

      822ff178db44abb33f6b50d58d4b17562ec5f0cd1d82e165a9c60232d0cc40a0

      SHA512

      1485771d6689b4ff7de57f20fd7feacc3a956763463709ecd72b0de73bc8229a8d76a9c22b4bb7f7ef62ca4387b204203adb2d0fc725fa8acbe5b8c97ee05c95

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9990723.exe
      Filesize

      359KB

      MD5

      cd8fd82257a28391efe5d0396ff51028

      SHA1

      de79416fd567cd6c102b2be10b32aad7c02fc652

      SHA256

      48828153f753ebdff51931e36e9a451e86ff009a8be08207e838404e02cb95b7

      SHA512

      06509f28ba30cf03d5deabfbf7520ad3f8a9a062de729cc4e7f8044ceabbf05f601ac3ce30b9cccd10c37ffca8c74ffe4a595a6d6e4258e2f35763a88d4b4fe2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9990723.exe
      Filesize

      359KB

      MD5

      cd8fd82257a28391efe5d0396ff51028

      SHA1

      de79416fd567cd6c102b2be10b32aad7c02fc652

      SHA256

      48828153f753ebdff51931e36e9a451e86ff009a8be08207e838404e02cb95b7

      SHA512

      06509f28ba30cf03d5deabfbf7520ad3f8a9a062de729cc4e7f8044ceabbf05f601ac3ce30b9cccd10c37ffca8c74ffe4a595a6d6e4258e2f35763a88d4b4fe2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9514468.exe
      Filesize

      172KB

      MD5

      e00119f5e32cc9c4771861bbe5ae57cc

      SHA1

      79bd530132161c44f34f7e69759a80cf9576718e

      SHA256

      ebf1f155bb9214a9f67afe398797eb7e0d346fd35265c365a7f6739eb0490083

      SHA512

      cf6224f04a47fac15163ea166b8a9a9ba6bc08578847fbc6b6b8b1ee813aa5b4d5af34137de624895a9f02993935e520f55043e345fa2c3043e9bfc68f758981

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9514468.exe
      Filesize

      172KB

      MD5

      e00119f5e32cc9c4771861bbe5ae57cc

      SHA1

      79bd530132161c44f34f7e69759a80cf9576718e

      SHA256

      ebf1f155bb9214a9f67afe398797eb7e0d346fd35265c365a7f6739eb0490083

      SHA512

      cf6224f04a47fac15163ea166b8a9a9ba6bc08578847fbc6b6b8b1ee813aa5b4d5af34137de624895a9f02993935e520f55043e345fa2c3043e9bfc68f758981

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3540285.exe
      Filesize

      204KB

      MD5

      e4937ad3b34c3b93b89ba06c04d338a6

      SHA1

      a81c5e4c4bd85df45a3f293da582c5d409dd0aa0

      SHA256

      4ab731d059a834cac9a92f0d281f318ba44a2a8a154c92664bc8375f9d08554a

      SHA512

      3c044cc1fc9bdbd7c6612015371111415b4c17339322818f53bf566b07a5147806507a508de2dd8b8722e41014d27b8c7b1594638c121ea911c892fda333f96b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3540285.exe
      Filesize

      204KB

      MD5

      e4937ad3b34c3b93b89ba06c04d338a6

      SHA1

      a81c5e4c4bd85df45a3f293da582c5d409dd0aa0

      SHA256

      4ab731d059a834cac9a92f0d281f318ba44a2a8a154c92664bc8375f9d08554a

      SHA512

      3c044cc1fc9bdbd7c6612015371111415b4c17339322818f53bf566b07a5147806507a508de2dd8b8722e41014d27b8c7b1594638c121ea911c892fda333f96b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7466593.exe
      Filesize

      13KB

      MD5

      6efe3b625ff56e7be32778c7ff290744

      SHA1

      d67cd6816741f4038ef87efb09c1dba0fa62875d

      SHA256

      4dd215f04c5ab29c69806d969e7aefad01b5c9dee2e6a087a859a7e330789a2d

      SHA512

      d4cdf5a3869ef59db75f9cec8076b4d1d6afc54df7fcc7b0f59f0a2179583ca5ad932246361ff947cb2aadabfa4b2e650439927fff1dad120855f271c2baf09c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7466593.exe
      Filesize

      13KB

      MD5

      6efe3b625ff56e7be32778c7ff290744

      SHA1

      d67cd6816741f4038ef87efb09c1dba0fa62875d

      SHA256

      4dd215f04c5ab29c69806d969e7aefad01b5c9dee2e6a087a859a7e330789a2d

      SHA512

      d4cdf5a3869ef59db75f9cec8076b4d1d6afc54df7fcc7b0f59f0a2179583ca5ad932246361ff947cb2aadabfa4b2e650439927fff1dad120855f271c2baf09c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5502827.exe
      Filesize

      120KB

      MD5

      197f305b3fc33004d5cfdc8b7451df82

      SHA1

      ac36bd70831c561f614f7eadea5f7989a31099de

      SHA256

      612438ff43b1b51f8c0d7f88cc083d4c75548a0347990a2f80d83ccc51010665

      SHA512

      b2bf8a64ff5b68326dcc56b854c329852a20c7788542e82f4a860c3f15662bffc2d6aff516f2de2b369b5ce4a8d09e1ce58208f85a91e4302a2fb029b3088279

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5502827.exe
      Filesize

      120KB

      MD5

      197f305b3fc33004d5cfdc8b7451df82

      SHA1

      ac36bd70831c561f614f7eadea5f7989a31099de

      SHA256

      612438ff43b1b51f8c0d7f88cc083d4c75548a0347990a2f80d83ccc51010665

      SHA512

      b2bf8a64ff5b68326dcc56b854c329852a20c7788542e82f4a860c3f15662bffc2d6aff516f2de2b369b5ce4a8d09e1ce58208f85a91e4302a2fb029b3088279

      Download Submit
    • memory/756-161-0x00000000002C0000-0x00000000002CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3044-175-0x0000000000EB0000-0x0000000000EE0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3044-181-0x000000000AFA0000-0x000000000B016000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3044-176-0x000000000B230000-0x000000000B848000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3044-177-0x000000000AD20000-0x000000000AE2A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3044-178-0x000000000AC30000-0x000000000AC42000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3044-179-0x0000000005880000-0x0000000005890000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3044-180-0x000000000AC90000-0x000000000ACCC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3044-189-0x000000000CD20000-0x000000000D24C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3044-182-0x000000000B0C0000-0x000000000B152000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3044-183-0x000000000BE00000-0x000000000C3A4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3044-184-0x000000000B160000-0x000000000B1C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3044-186-0x0000000005880000-0x0000000005890000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3044-187-0x000000000C400000-0x000000000C450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3044-188-0x000000000C620000-0x000000000C7E2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4456-167-0x0000000000160000-0x000000000016A000-memory.dmp
      Filesize

      40KB

      Download