Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe

  • Size

    739KB

  • MD5

    e7ff2a2862cde8845e711eb5a132c41f

  • SHA1

    966f8457dc3a809606bcb4dac709cafc64cd6c02

  • SHA256

    5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7

  • SHA512

    4fb5e0e90858532903cfbe90e3f449ce7a69e9921bed5d43e9973612bb50abf1e1a158773eddbfbee959e8e62754f759f48ad674b80b48ae369d31f8b989f660

  • SSDEEP

    12288:8MrYy90o0Y7Py/kaUvYYlkuMgHmkiUHPL4ZKpOxJrow97Ie8YECJ+vtz:Uyfl7Pwka2zlkuMgGkiqPLmK8xT90+Eh

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe
    "C:\Users\Admin\AppData\Local\Temp\5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3468
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4896
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:244
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 560
              6⤵
              • Program crash
              PID:4300
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4896 -ip 4896
    1⤵
      PID:4112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exe
      Filesize

      532KB

      MD5

      6fa4f5eaf83761cd32091a56e0366376

      SHA1

      24fb85f54bc94f87b2b43db91d7277b65f1e777e

      SHA256

      5fa75efc47cfb998041c0df19cf100fced7d97017dcc3db877a168de34025ef8

      SHA512

      36fc00d03072c985e1a46f82ff383c9f50e0163b033739a4a9555ab4b65fc315aacbefafe1d0f42107daa849fd9efada7a31e05094bdd7a02d2d62e20a2eca1b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exe
      Filesize

      532KB

      MD5

      6fa4f5eaf83761cd32091a56e0366376

      SHA1

      24fb85f54bc94f87b2b43db91d7277b65f1e777e

      SHA256

      5fa75efc47cfb998041c0df19cf100fced7d97017dcc3db877a168de34025ef8

      SHA512

      36fc00d03072c985e1a46f82ff383c9f50e0163b033739a4a9555ab4b65fc315aacbefafe1d0f42107daa849fd9efada7a31e05094bdd7a02d2d62e20a2eca1b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exe
      Filesize

      359KB

      MD5

      52d15d939bfa4ed6866e3260f302484a

      SHA1

      6197f0fdcca96e1ac20ce96b2878804d24b37d9a

      SHA256

      878d54de9d1ef033464bc10e8862b651d560de3fda79d35b157f53ef0b9ade87

      SHA512

      b674df3b6535ec17b9f3d5ebd39e3a49a79e4d2a1d92434febef2332362087935559a54782d9e69cadcca5f03be175cee74f4ae92fd5bab5de48aaff4fe32e98

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exe
      Filesize

      359KB

      MD5

      52d15d939bfa4ed6866e3260f302484a

      SHA1

      6197f0fdcca96e1ac20ce96b2878804d24b37d9a

      SHA256

      878d54de9d1ef033464bc10e8862b651d560de3fda79d35b157f53ef0b9ade87

      SHA512

      b674df3b6535ec17b9f3d5ebd39e3a49a79e4d2a1d92434febef2332362087935559a54782d9e69cadcca5f03be175cee74f4ae92fd5bab5de48aaff4fe32e98

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exe
      Filesize

      172KB

      MD5

      956d31e1a454901056ab95e190025cf4

      SHA1

      7405ce885d08fd95f04ec78c7ee43712512e0290

      SHA256

      8b83f4bc090b82fe9e34bdefd8527e0af41ec0ad4c79276e9fab7707f6632df9

      SHA512

      491d939bd8628c83ac9eac844568bb5b8f5e751f044ff06087c7387013c2d76186beb6ffa7890d1fe4b885bf35ad53e8fb38d4395af381d19ab1625535f82d25

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exe
      Filesize

      172KB

      MD5

      956d31e1a454901056ab95e190025cf4

      SHA1

      7405ce885d08fd95f04ec78c7ee43712512e0290

      SHA256

      8b83f4bc090b82fe9e34bdefd8527e0af41ec0ad4c79276e9fab7707f6632df9

      SHA512

      491d939bd8628c83ac9eac844568bb5b8f5e751f044ff06087c7387013c2d76186beb6ffa7890d1fe4b885bf35ad53e8fb38d4395af381d19ab1625535f82d25

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exe
      Filesize

      204KB

      MD5

      f522c6a68f3934ad778cc2699a2361dc

      SHA1

      c8bbede701df2296a8511c76320968f435d74359

      SHA256

      ae49976c324b00e8b6777cb1bebb4fc0f65cc7fc0d435b37e7123ae019a5d75f

      SHA512

      9c58859d66bae3a37b5ef6065f827a78ae67c4f64c931ab5ec9b42c51ffba82ad90bcd4d97ecfbc1e737ab1dd4fc0e921b72b0b5163692484d575dc435f9d2fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exe
      Filesize

      204KB

      MD5

      f522c6a68f3934ad778cc2699a2361dc

      SHA1

      c8bbede701df2296a8511c76320968f435d74359

      SHA256

      ae49976c324b00e8b6777cb1bebb4fc0f65cc7fc0d435b37e7123ae019a5d75f

      SHA512

      9c58859d66bae3a37b5ef6065f827a78ae67c4f64c931ab5ec9b42c51ffba82ad90bcd4d97ecfbc1e737ab1dd4fc0e921b72b0b5163692484d575dc435f9d2fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exe
      Filesize

      13KB

      MD5

      9c1bb2b2bcffa6fa6c345504b5de9fef

      SHA1

      893b57742c9dd350f83d863317266180db8eff57

      SHA256

      b60fd433b016bbf901d13dc301addaba3bbdf8b31d415e019e7856014f755771

      SHA512

      97670def67d7b417488484271cd876dcce8c39b9eaec6f696e9da22ef320872a4b622cb5dd5d4d891162314c7f86c08c654177ca8f636025b3e37586a352e4ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exe
      Filesize

      13KB

      MD5

      9c1bb2b2bcffa6fa6c345504b5de9fef

      SHA1

      893b57742c9dd350f83d863317266180db8eff57

      SHA256

      b60fd433b016bbf901d13dc301addaba3bbdf8b31d415e019e7856014f755771

      SHA512

      97670def67d7b417488484271cd876dcce8c39b9eaec6f696e9da22ef320872a4b622cb5dd5d4d891162314c7f86c08c654177ca8f636025b3e37586a352e4ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exe
      Filesize

      120KB

      MD5

      ca82ab78203d1e5ed971d83e1b46ef5a

      SHA1

      3f2a2482f28b054d800ff3b9e6ccc22b1d0c9caf

      SHA256

      882b18a56b786e3f73c4da03aa3379e46ace7f767a79fb0ebd1ba784288d0754

      SHA512

      7005744a443f60b7d163030a8afdec3c9f523b389db9091a9748adcbedd44226d74cbf0eab00137b9d2ae3f0204f4bba49fccf229dfb00a42640b5579501f599

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exe
      Filesize

      120KB

      MD5

      ca82ab78203d1e5ed971d83e1b46ef5a

      SHA1

      3f2a2482f28b054d800ff3b9e6ccc22b1d0c9caf

      SHA256

      882b18a56b786e3f73c4da03aa3379e46ace7f767a79fb0ebd1ba784288d0754

      SHA512

      7005744a443f60b7d163030a8afdec3c9f523b389db9091a9748adcbedd44226d74cbf0eab00137b9d2ae3f0204f4bba49fccf229dfb00a42640b5579501f599

      Download Submit
    • memory/244-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3468-161-0x00000000002A0000-0x00000000002AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3980-175-0x0000000000A70000-0x0000000000AA0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3980-176-0x000000000AD50000-0x000000000B368000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3980-177-0x000000000A8B0000-0x000000000A9BA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3980-178-0x000000000A7F0000-0x000000000A802000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3980-179-0x000000000A850000-0x000000000A88C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3980-180-0x00000000053A0000-0x00000000053B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3980-181-0x000000000AC60000-0x000000000ACD6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3980-182-0x000000000B410000-0x000000000B4A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3980-183-0x000000000BA60000-0x000000000C004000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3980-184-0x000000000B370000-0x000000000B3D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3980-186-0x000000000C1E0000-0x000000000C3A2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3980-187-0x000000000C8E0000-0x000000000CE0C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3980-188-0x00000000053A0000-0x00000000053B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3980-189-0x000000000C050000-0x000000000C0A0000-memory.dmp
      Filesize

      320KB

      Download