Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe

  • Size

    738KB

  • MD5

    a5ebeaaee8aeaadecca6a52c53e2d3a5

  • SHA1

    6e8d4b1a6d0cb8e6dfc490b76ae666b4048706ff

  • SHA256

    4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7

  • SHA512

    595fbb516716f4b49abe9f67ed18b9074a58ee937f4ba69a1f79f96f951bd3a1c828db7c20ef2b25f8914e5a645052c3f22897bdac0f7ab3d09fbd6d311554be

  • SSDEEP

    12288:GMrGy905+c1qD86fqGjSTikvLF/ytKFFdAiQM8/NWXWoYwz4rgQxx6OSsx7o01W/:8ya+cK8hbz6tKLdALzFWXYqY36FE7o4c

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe
    "C:\Users\Admin\AppData\Local\Temp\4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3156
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:228
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 140
              6⤵
              • Program crash
              PID:3664
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2600
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1336 -ip 1336
    1⤵
      PID:1640

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exe
      Filesize

      531KB

      MD5

      c5559933cef54508570297ecb06d6398

      SHA1

      173385861fea7278850f7bed44e3266f62f7fdbd

      SHA256

      e52b36ab12bd0e62c7c9bac727639ee17688fcb7f084cfdba1604c58a4c2d295

      SHA512

      973812859ac8e78b584311298a9671ff985ee1ac1839f3a0a4266e1d3bfb8d219d36e4d411b46d1e0a670fdcb677feb06016017a2440c9dc125177889606316d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exe
      Filesize

      531KB

      MD5

      c5559933cef54508570297ecb06d6398

      SHA1

      173385861fea7278850f7bed44e3266f62f7fdbd

      SHA256

      e52b36ab12bd0e62c7c9bac727639ee17688fcb7f084cfdba1604c58a4c2d295

      SHA512

      973812859ac8e78b584311298a9671ff985ee1ac1839f3a0a4266e1d3bfb8d219d36e4d411b46d1e0a670fdcb677feb06016017a2440c9dc125177889606316d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exe
      Filesize

      358KB

      MD5

      85150f63c80ad22fbe201123a4efc9ae

      SHA1

      0e0bdc927de8a3852de5d32eec3306276034ff8f

      SHA256

      39c10409c726f9b6cfcdbcd916b6cb0818f5278dc9de53048d283012635d7978

      SHA512

      162f241e129b556ec96cc6805435b013ff9dce7022fec51655bf79ac9ddb2f8630748b0c24d20b6dab417c0c223e733ddf38cc26045bbd6bf0d73650a2eca979

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exe
      Filesize

      358KB

      MD5

      85150f63c80ad22fbe201123a4efc9ae

      SHA1

      0e0bdc927de8a3852de5d32eec3306276034ff8f

      SHA256

      39c10409c726f9b6cfcdbcd916b6cb0818f5278dc9de53048d283012635d7978

      SHA512

      162f241e129b556ec96cc6805435b013ff9dce7022fec51655bf79ac9ddb2f8630748b0c24d20b6dab417c0c223e733ddf38cc26045bbd6bf0d73650a2eca979

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exe
      Filesize

      172KB

      MD5

      153a76ae542572dd7f9af01385b403e6

      SHA1

      81c9224fee56356fbe98e3a1dc6a54e984a7ccba

      SHA256

      ba11b71bcafc9121fd340c2e2cb784f2fc86b207aa766303bf92ce052423f6a6

      SHA512

      228f7d0cc5f890c9c2cac2552d3a6014930db524f5fb420b90af41f82ac475c6c393bc97e1a3d6546e04239bc9e4c7c17192c64b10e4f23ca30a2a01837441e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exe
      Filesize

      172KB

      MD5

      153a76ae542572dd7f9af01385b403e6

      SHA1

      81c9224fee56356fbe98e3a1dc6a54e984a7ccba

      SHA256

      ba11b71bcafc9121fd340c2e2cb784f2fc86b207aa766303bf92ce052423f6a6

      SHA512

      228f7d0cc5f890c9c2cac2552d3a6014930db524f5fb420b90af41f82ac475c6c393bc97e1a3d6546e04239bc9e4c7c17192c64b10e4f23ca30a2a01837441e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exe
      Filesize

      203KB

      MD5

      4f78eb1b2baf664a9091b35b657cb652

      SHA1

      21b68418735f15eb85df55672f2ecf9c7b347caa

      SHA256

      aacdb8a3a2c65b10e1da1bc56a45344d1285b996a992b708442d3db371bd74a4

      SHA512

      44d995f4adf27a4aa489bc930c90dc3496055c692d3f65cb2b4bc79a35c46df8881cd1439a7f62f1a461ea7091f391912ec96f7809f539bc826b65c3906e8d1f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exe
      Filesize

      203KB

      MD5

      4f78eb1b2baf664a9091b35b657cb652

      SHA1

      21b68418735f15eb85df55672f2ecf9c7b347caa

      SHA256

      aacdb8a3a2c65b10e1da1bc56a45344d1285b996a992b708442d3db371bd74a4

      SHA512

      44d995f4adf27a4aa489bc930c90dc3496055c692d3f65cb2b4bc79a35c46df8881cd1439a7f62f1a461ea7091f391912ec96f7809f539bc826b65c3906e8d1f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exe
      Filesize

      13KB

      MD5

      0ff0f5946cca2600055a274deb11a457

      SHA1

      6a31749b9cf645f839f10879b5467ef613cbc7e2

      SHA256

      4bc6b898c0299b405032a319be6c86d2259633b747163da449f06dc93abb8b7f

      SHA512

      99c2760872b3c3e444a3bf77fd81f0c5f35f69cd490ce566cef603645ccdd94835a9fcfdd5f71ec7f3ae8febbcc6db62808a043d501543759626fbcdc047ea2b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exe
      Filesize

      13KB

      MD5

      0ff0f5946cca2600055a274deb11a457

      SHA1

      6a31749b9cf645f839f10879b5467ef613cbc7e2

      SHA256

      4bc6b898c0299b405032a319be6c86d2259633b747163da449f06dc93abb8b7f

      SHA512

      99c2760872b3c3e444a3bf77fd81f0c5f35f69cd490ce566cef603645ccdd94835a9fcfdd5f71ec7f3ae8febbcc6db62808a043d501543759626fbcdc047ea2b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exe
      Filesize

      120KB

      MD5

      f80099c6b4822d3438aab8c6acb81349

      SHA1

      2ff8e01fe5cbff3293f12e26162bc7aff0cd558d

      SHA256

      c82dd18e6b973b1b66cb5e505712aa7de2dc2b9bf7a332ed78f0de9ff17a3f8f

      SHA512

      d055332243cec6ba1b764c0181ae321d5f4b4541d161de5daf582d6807c5714aeb765cc00a31b3c7c13cfa1f21479ef087aebfc2af9855e921d5008b530cd419

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exe
      Filesize

      120KB

      MD5

      f80099c6b4822d3438aab8c6acb81349

      SHA1

      2ff8e01fe5cbff3293f12e26162bc7aff0cd558d

      SHA256

      c82dd18e6b973b1b66cb5e505712aa7de2dc2b9bf7a332ed78f0de9ff17a3f8f

      SHA512

      d055332243cec6ba1b764c0181ae321d5f4b4541d161de5daf582d6807c5714aeb765cc00a31b3c7c13cfa1f21479ef087aebfc2af9855e921d5008b530cd419

      Download Submit
    • memory/228-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2600-175-0x0000000000900000-0x0000000000930000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2600-181-0x000000000A9F0000-0x000000000AA66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2600-176-0x000000000AC30000-0x000000000B248000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2600-177-0x000000000A740000-0x000000000A84A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2600-178-0x000000000A680000-0x000000000A692000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2600-179-0x0000000005180000-0x0000000005190000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2600-180-0x000000000A6E0000-0x000000000A71C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2600-189-0x000000000C720000-0x000000000CC4C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2600-182-0x000000000AB10000-0x000000000ABA2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2600-183-0x000000000B800000-0x000000000BDA4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2600-184-0x000000000ABB0000-0x000000000AC16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2600-186-0x000000000BE00000-0x000000000BE50000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2600-187-0x000000000C020000-0x000000000C1E2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2600-188-0x0000000005180000-0x0000000005190000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3156-161-0x0000000000820000-0x000000000082A000-memory.dmp
      Filesize

      40KB

      Download