Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe

  • Size

    739KB

  • MD5

    3684c8be1f7b0e3dbcfdfea2e86bb30b

  • SHA1

    0cf3c61103cdeb25af3f1a0b1d9b16f7a96c5939

  • SHA256

    3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d

  • SHA512

    2e7c56b2bf8accef8b7503d603e6a87c43020b6882dfa31962af7ccfe07071043f4497baf784018924cbc96060e306d070aa13e8c8139393a05641c3d804f0bf

  • SSDEEP

    12288:aMrsy90O1K4Nec7SqvZw8wnJ2Q2GNuolfps1j0zlyQqDMLdiDs:6yJjNeepfwJ2GU56yrD0diDs

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe
    "C:\Users\Admin\AppData\Local\Temp\3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3432
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:872
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 148
              6⤵
              • Program crash
              PID:4440
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4860
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3432 -ip 3432
    1⤵
      PID:3944

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exe
      Filesize

      532KB

      MD5

      78373fccf6adeb4700a6f6def7aca89c

      SHA1

      3f6c2c20f9f114362020ac5330dae1f3ae14fa8c

      SHA256

      40c2336445e68b6f470a45fe6a4fa417dffdb4adff86ee1dc5b47e8c53fccd24

      SHA512

      6eaa462b7fb3774c43f8aab883d2f88e5d8bddb02cda1a7c84bfaf8c41da8b866bb1e83562af182552ef238c2b1daf94217bd816ea3bf44f5c1146e5500b3df5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exe
      Filesize

      532KB

      MD5

      78373fccf6adeb4700a6f6def7aca89c

      SHA1

      3f6c2c20f9f114362020ac5330dae1f3ae14fa8c

      SHA256

      40c2336445e68b6f470a45fe6a4fa417dffdb4adff86ee1dc5b47e8c53fccd24

      SHA512

      6eaa462b7fb3774c43f8aab883d2f88e5d8bddb02cda1a7c84bfaf8c41da8b866bb1e83562af182552ef238c2b1daf94217bd816ea3bf44f5c1146e5500b3df5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exe
      Filesize

      359KB

      MD5

      c60e37579b0a4d9f7f64d5738ea84412

      SHA1

      c422105bb3cdc46e5d0c7bcbbd393e24e2b20ad0

      SHA256

      2a39b9fda983ef69e946f955f98cc39bdc7b56eb7dd49116665b8564d917384d

      SHA512

      96b9f6e7eb34271941e971c4404fb923cbb5b3ae8b7105c9e8faa3065a58882e69f6cb634f0143567bf043aec11304149b6971316b6f20f748a25e31763ef995

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exe
      Filesize

      359KB

      MD5

      c60e37579b0a4d9f7f64d5738ea84412

      SHA1

      c422105bb3cdc46e5d0c7bcbbd393e24e2b20ad0

      SHA256

      2a39b9fda983ef69e946f955f98cc39bdc7b56eb7dd49116665b8564d917384d

      SHA512

      96b9f6e7eb34271941e971c4404fb923cbb5b3ae8b7105c9e8faa3065a58882e69f6cb634f0143567bf043aec11304149b6971316b6f20f748a25e31763ef995

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exe
      Filesize

      172KB

      MD5

      61e020d914cd540eb0f5f8cc51fc4b1d

      SHA1

      4c24cbd2af6bc64f8dcd105cf2740b73e8922880

      SHA256

      cbd8b131aec0655a00655015e14086086629ab69f84c113beacf31b9ec9f4e55

      SHA512

      eeb383e975f14e333c2b9801b9b426f31d0ebb54982df907a270c8eacca0c2a854a70b5353a4e8351ca1154b8f41d47aca4c6b39e2e200109bdeb6f1b060ca40

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exe
      Filesize

      172KB

      MD5

      61e020d914cd540eb0f5f8cc51fc4b1d

      SHA1

      4c24cbd2af6bc64f8dcd105cf2740b73e8922880

      SHA256

      cbd8b131aec0655a00655015e14086086629ab69f84c113beacf31b9ec9f4e55

      SHA512

      eeb383e975f14e333c2b9801b9b426f31d0ebb54982df907a270c8eacca0c2a854a70b5353a4e8351ca1154b8f41d47aca4c6b39e2e200109bdeb6f1b060ca40

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exe
      Filesize

      204KB

      MD5

      568e508481c949fee9347810d2e929f5

      SHA1

      5f0202130d11a27b3ce9066fe0350e448c750cda

      SHA256

      e655e3fcfdc98cca37600c11404e3b9878733e62daed4dafbc029e08a2afe5e1

      SHA512

      a9437ebd594a40189e80451d932bc1da7f666ea3dc5bd19f8f42bce0f2a117ba2fbc19ece8ca16e538a3ea6ec42ba820383c7b696c769a66527997c1a796bc04

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exe
      Filesize

      204KB

      MD5

      568e508481c949fee9347810d2e929f5

      SHA1

      5f0202130d11a27b3ce9066fe0350e448c750cda

      SHA256

      e655e3fcfdc98cca37600c11404e3b9878733e62daed4dafbc029e08a2afe5e1

      SHA512

      a9437ebd594a40189e80451d932bc1da7f666ea3dc5bd19f8f42bce0f2a117ba2fbc19ece8ca16e538a3ea6ec42ba820383c7b696c769a66527997c1a796bc04

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exe
      Filesize

      13KB

      MD5

      a5200aa1bed495e0197d2163c121ad27

      SHA1

      f7c21f834fd0707365a56562dda15afc431c18c8

      SHA256

      e5ae8bdf1bb21eace1605a02ce634ba59062e06ab8aaa39e92e5829a9d0cd2ce

      SHA512

      55544375698e267e2b8ccf02f5cde11b032001e0706793b87fbb5b20eddde97536d275849d31dfd93114d681b76cec89be08d1252b243061ca9de02d6aaf2cc9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exe
      Filesize

      13KB

      MD5

      a5200aa1bed495e0197d2163c121ad27

      SHA1

      f7c21f834fd0707365a56562dda15afc431c18c8

      SHA256

      e5ae8bdf1bb21eace1605a02ce634ba59062e06ab8aaa39e92e5829a9d0cd2ce

      SHA512

      55544375698e267e2b8ccf02f5cde11b032001e0706793b87fbb5b20eddde97536d275849d31dfd93114d681b76cec89be08d1252b243061ca9de02d6aaf2cc9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exe
      Filesize

      120KB

      MD5

      f73b37c658a9bef2f302107ff25e59de

      SHA1

      47a975a00013f724b0dade7ba5cf51cc8b539957

      SHA256

      f6fd85c07723e1a8a8e026903509921d43e036fde97696b67ca7c4dfde32280b

      SHA512

      cd193e93e45868b6fcf99187406ddeb39f06532f81cea24b17efafdcca16fbf60fa6b6e97989e26c6e3089fcaa68f0e0b081d4ff3af236317193c45bebbca8fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exe
      Filesize

      120KB

      MD5

      f73b37c658a9bef2f302107ff25e59de

      SHA1

      47a975a00013f724b0dade7ba5cf51cc8b539957

      SHA256

      f6fd85c07723e1a8a8e026903509921d43e036fde97696b67ca7c4dfde32280b

      SHA512

      cd193e93e45868b6fcf99187406ddeb39f06532f81cea24b17efafdcca16fbf60fa6b6e97989e26c6e3089fcaa68f0e0b081d4ff3af236317193c45bebbca8fd

      Download Submit
    • memory/872-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2172-161-0x0000000000AA0000-0x0000000000AAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4860-175-0x0000000000F30000-0x0000000000F60000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4860-176-0x000000000B210000-0x000000000B828000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4860-177-0x000000000AD70000-0x000000000AE7A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4860-178-0x000000000ACB0000-0x000000000ACC2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4860-179-0x000000000AD10000-0x000000000AD4C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4860-180-0x0000000005760000-0x0000000005770000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4860-181-0x000000000B020000-0x000000000B096000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4860-182-0x000000000B140000-0x000000000B1D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4860-183-0x000000000BDE0000-0x000000000C384000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4860-184-0x000000000B930000-0x000000000B996000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4860-186-0x000000000BD70000-0x000000000BDC0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4860-187-0x0000000005760000-0x0000000005770000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4860-188-0x000000000C660000-0x000000000C822000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4860-189-0x000000000CD60000-0x000000000D28C000-memory.dmp
      Filesize

      5.2MB

      Download