Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4eacb38731971cff8cf5a14906c91d0deb6a1f6032ed8ba12379348f9a9e27ea.exe

  • Size

    738KB

  • MD5

    10e18a2707e9318a0a7a16c01db038f2

  • SHA1

    27a9d8341fde920ded27a3938d4a9b39ad58466e

  • SHA256

    4eacb38731971cff8cf5a14906c91d0deb6a1f6032ed8ba12379348f9a9e27ea

  • SHA512

    a3bcca06515d29cdbd2ea51650fd33650e786e37dbe2fa5efdd7cda8eb843e06a2738174252ae5ebc1f3d5865e3b454430e5da5c4a09d50a15a32ac84a3f2d0d

  • SSDEEP

    12288:0Mr8y90crGBjpLTERugc/m1iRa/1NoXZky8p8jg/AeGK+rrw4wP:wyXrGBNYR/y6w4Nryc0eyf/4

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4eacb38731971cff8cf5a14906c91d0deb6a1f6032ed8ba12379348f9a9e27ea.exe
    "C:\Users\Admin\AppData\Local\Temp\4eacb38731971cff8cf5a14906c91d0deb6a1f6032ed8ba12379348f9a9e27ea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2437455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2437455.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7813382.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7813382.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7123689.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7123689.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:456
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5678314.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5678314.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4940
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5548244.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5548244.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:652
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:804
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 560
              6⤵
              • Program crash
              PID:3464
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5705630.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5705630.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 652 -ip 652
    1⤵
      PID:1532

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2437455.exe
      Filesize

      531KB

      MD5

      be6b61d9758332336685eb52122cc4f7

      SHA1

      ae43260ed69157f9082259af3a3628b73c55e615

      SHA256

      2401a3b5d3a94d617fa4392b5749b730c323988be2e0d81d58b6d9efdb1963b1

      SHA512

      5ba0ae382c06c9caa15815d56c6b196d1102c64ba9a26f7c409e8a441b4c558a81bf3883461a17005c7ea3bd54e795442a07f48789e8b0269456fe81aa6b9e89

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2437455.exe
      Filesize

      531KB

      MD5

      be6b61d9758332336685eb52122cc4f7

      SHA1

      ae43260ed69157f9082259af3a3628b73c55e615

      SHA256

      2401a3b5d3a94d617fa4392b5749b730c323988be2e0d81d58b6d9efdb1963b1

      SHA512

      5ba0ae382c06c9caa15815d56c6b196d1102c64ba9a26f7c409e8a441b4c558a81bf3883461a17005c7ea3bd54e795442a07f48789e8b0269456fe81aa6b9e89

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7813382.exe
      Filesize

      358KB

      MD5

      15f4bdf8537cec19607fcd1effabf172

      SHA1

      549b770d5cc534a57160cde8016dd996b4c12e15

      SHA256

      624c1ff6bf671cfb450f40ceed50e79c6770b49dc897bc51c751c22b3333b4f2

      SHA512

      8e17be931e8267e3c1eb606d592877853cc78a1085b4b27d7d38515cdd1227605caa89afe0dda89e6a7cfc89f4c808619abdef5602be3fd82882d38e263cb187

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7813382.exe
      Filesize

      358KB

      MD5

      15f4bdf8537cec19607fcd1effabf172

      SHA1

      549b770d5cc534a57160cde8016dd996b4c12e15

      SHA256

      624c1ff6bf671cfb450f40ceed50e79c6770b49dc897bc51c751c22b3333b4f2

      SHA512

      8e17be931e8267e3c1eb606d592877853cc78a1085b4b27d7d38515cdd1227605caa89afe0dda89e6a7cfc89f4c808619abdef5602be3fd82882d38e263cb187

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5705630.exe
      Filesize

      172KB

      MD5

      39c58bc1deb5fbb6892f8702ec4fe16f

      SHA1

      2f28962a5d7a189c92d135b485d3c5d69c49539f

      SHA256

      5d88a4c9c964a437c31e9ed9d51c3ab8a5583693df5d61434ef8454f4da8fc26

      SHA512

      4516b7f6c896778ccea2913329c98545004c3e4d083f5f1d14c6beef0f2ed65270112de53c1e2771b06d86faf6311656e910e25b8cb5a4ea5362f39e2628e0a8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5705630.exe
      Filesize

      172KB

      MD5

      39c58bc1deb5fbb6892f8702ec4fe16f

      SHA1

      2f28962a5d7a189c92d135b485d3c5d69c49539f

      SHA256

      5d88a4c9c964a437c31e9ed9d51c3ab8a5583693df5d61434ef8454f4da8fc26

      SHA512

      4516b7f6c896778ccea2913329c98545004c3e4d083f5f1d14c6beef0f2ed65270112de53c1e2771b06d86faf6311656e910e25b8cb5a4ea5362f39e2628e0a8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7123689.exe
      Filesize

      203KB

      MD5

      d1a5e6cb69629fd286da088c2ba7eb50

      SHA1

      4115d389716204e44ae2b73f94362a49885fee76

      SHA256

      be2c464a87a6ad986a1828facdf6bdcf62db7d9b6b2d23c968ed8559a42aa649

      SHA512

      a4b31cf1e842255604afb7574f2e35d20789277fe8f2192696a66c3871321278e5037dc2d2728e1f5be3ba5ff90d0605670685409f8e119a80a3d9d462516580

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7123689.exe
      Filesize

      203KB

      MD5

      d1a5e6cb69629fd286da088c2ba7eb50

      SHA1

      4115d389716204e44ae2b73f94362a49885fee76

      SHA256

      be2c464a87a6ad986a1828facdf6bdcf62db7d9b6b2d23c968ed8559a42aa649

      SHA512

      a4b31cf1e842255604afb7574f2e35d20789277fe8f2192696a66c3871321278e5037dc2d2728e1f5be3ba5ff90d0605670685409f8e119a80a3d9d462516580

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5678314.exe
      Filesize

      13KB

      MD5

      edbd5cce4624a9057086827bd2841bb3

      SHA1

      2df02a47978b2cbe0513c7600b0196431d558391

      SHA256

      c05e650dd9132511f0091389122637fa42fa0a926e8e6b9547afcda1e6d1de89

      SHA512

      f8792820849706ffd355222406fefc8bc30808a94915933fceb5f6a93b88cd76e08721357cd1205f8dc0560b5375378f42805f7f6b4dcfa8cb7308ff4a5ee48c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5678314.exe
      Filesize

      13KB

      MD5

      edbd5cce4624a9057086827bd2841bb3

      SHA1

      2df02a47978b2cbe0513c7600b0196431d558391

      SHA256

      c05e650dd9132511f0091389122637fa42fa0a926e8e6b9547afcda1e6d1de89

      SHA512

      f8792820849706ffd355222406fefc8bc30808a94915933fceb5f6a93b88cd76e08721357cd1205f8dc0560b5375378f42805f7f6b4dcfa8cb7308ff4a5ee48c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5548244.exe
      Filesize

      120KB

      MD5

      3a44950b1269b12608d64336555e034a

      SHA1

      12cfc264a81aeed0acc14067f5ef88a0ed7549cf

      SHA256

      2ebc5b11005ed5c2827bcd325e1c448edb24f62c5e033437ed0c3c37621a6a34

      SHA512

      574d681f015a9ed22162724d556eb41325629e1dbcd0b702400e676d8dc5829299664a659d6d2a920468630b2ae5eecf5e4de1e0b0536e53146da7435dc46d19

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5548244.exe
      Filesize

      120KB

      MD5

      3a44950b1269b12608d64336555e034a

      SHA1

      12cfc264a81aeed0acc14067f5ef88a0ed7549cf

      SHA256

      2ebc5b11005ed5c2827bcd325e1c448edb24f62c5e033437ed0c3c37621a6a34

      SHA512

      574d681f015a9ed22162724d556eb41325629e1dbcd0b702400e676d8dc5829299664a659d6d2a920468630b2ae5eecf5e4de1e0b0536e53146da7435dc46d19

      Download Submit
    • memory/804-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1580-175-0x00000000001B0000-0x00000000001E0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-181-0x000000000A2A0000-0x000000000A316000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1580-176-0x000000000A4A0000-0x000000000AAB8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1580-177-0x0000000009FF0000-0x000000000A0FA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1580-178-0x0000000009F30000-0x0000000009F42000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1580-179-0x0000000009F90000-0x0000000009FCC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1580-180-0x0000000004AF0000-0x0000000004B00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1580-189-0x0000000004AF0000-0x0000000004B00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1580-182-0x000000000AB60000-0x000000000ABF2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1580-183-0x000000000B1B0000-0x000000000B754000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1580-184-0x000000000AC00000-0x000000000AC66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1580-186-0x000000000B760000-0x000000000B922000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1580-187-0x000000000BE60000-0x000000000C38C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1580-188-0x000000000B0C0000-0x000000000B110000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4940-161-0x0000000000130000-0x000000000013A000-memory.dmp
      Filesize

      40KB

      Download