Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b4c0e5846698d9123d9e2372255f7ad26b4f7dcad10af96c8eceb2e20a3a1c1.exe

  • Size

    739KB

  • MD5

    0a534cb2cd92e1aec6a499ce81a96f69

  • SHA1

    141b40bfb143e50635cbf27fb00c1497342ff864

  • SHA256

    2b4c0e5846698d9123d9e2372255f7ad26b4f7dcad10af96c8eceb2e20a3a1c1

  • SHA512

    d8b9a6fcd2d590517250b720d1905f482a4ed8534f39c2d07c540c9d9c3c1bba333ce7b710004aa404a06b2517f0fb8d335a35295fe91e90283ff4ef04a985cc

  • SSDEEP

    12288:yMrqy9075/bfpVL+6R4sgSMCWHHjfNrzNWB000eVgwdzMQk2wIwswLa:0ykVxFhMCiHjf5z8+01OeMdmwO

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b4c0e5846698d9123d9e2372255f7ad26b4f7dcad10af96c8eceb2e20a3a1c1.exe
    "C:\Users\Admin\AppData\Local\Temp\2b4c0e5846698d9123d9e2372255f7ad26b4f7dcad10af96c8eceb2e20a3a1c1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0057416.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0057416.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3993417.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3993417.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3793545.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3793545.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4982016.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4982016.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3232
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6280654.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6280654.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1872
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3816
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 140
              6⤵
              • Program crash
              PID:4764
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2830383.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2830383.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1872 -ip 1872
    1⤵
      PID:216

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0057416.exe
      Filesize

      532KB

      MD5

      560cfd601a5a6bc506080ae404a602f3

      SHA1

      22b21253a5a989886db1f8d4ca5d92dd85fa7e17

      SHA256

      a9bcf46533974d473a4c19f51722f5e237074cfc3f51697ec9b2d637c1bc3aad

      SHA512

      a52e07f66c28881a4c60a8229e571f7333d263e9038e85d7a8eeffbfd17dd3bd3f3756a6047de14437c2e5a44582ab492345a85b4ca9a3692c76c65bc0f17d06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0057416.exe
      Filesize

      532KB

      MD5

      560cfd601a5a6bc506080ae404a602f3

      SHA1

      22b21253a5a989886db1f8d4ca5d92dd85fa7e17

      SHA256

      a9bcf46533974d473a4c19f51722f5e237074cfc3f51697ec9b2d637c1bc3aad

      SHA512

      a52e07f66c28881a4c60a8229e571f7333d263e9038e85d7a8eeffbfd17dd3bd3f3756a6047de14437c2e5a44582ab492345a85b4ca9a3692c76c65bc0f17d06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3993417.exe
      Filesize

      359KB

      MD5

      261b349bda315f796ae924e4dbafce10

      SHA1

      9489e308a728cb0f13f7905b00b9b35c3ee0a6a4

      SHA256

      a67de6982b10a753755a5ad2ceb714468006f6ed0d0cd5ad7c3168d2a3a9b556

      SHA512

      67deacb93039db8f357a74f01a753379dba2a525cd717b30c0ef7bc46627c41f902e04936a77b1b19d8c31deb50c0129bc59ae7f2f85a8aa2617b3d0a001fce6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3993417.exe
      Filesize

      359KB

      MD5

      261b349bda315f796ae924e4dbafce10

      SHA1

      9489e308a728cb0f13f7905b00b9b35c3ee0a6a4

      SHA256

      a67de6982b10a753755a5ad2ceb714468006f6ed0d0cd5ad7c3168d2a3a9b556

      SHA512

      67deacb93039db8f357a74f01a753379dba2a525cd717b30c0ef7bc46627c41f902e04936a77b1b19d8c31deb50c0129bc59ae7f2f85a8aa2617b3d0a001fce6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2830383.exe
      Filesize

      172KB

      MD5

      ce6f544c8e9ef9052196ed735bcf48dd

      SHA1

      bdc535f618e38866b81d8fcbff318d8f69a978be

      SHA256

      9eb6bd9ae08152f8c69cebdb273adff1ea2cae59fd0d575013e0b483a935cd1b

      SHA512

      d79f025e658462b35a6e4961d503b9acccff6b16c220df5f51fee50de398a3667497721625ef046f1aecd8a5d75323f165d4874e834408a12ca9fb4efee4bebb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2830383.exe
      Filesize

      172KB

      MD5

      ce6f544c8e9ef9052196ed735bcf48dd

      SHA1

      bdc535f618e38866b81d8fcbff318d8f69a978be

      SHA256

      9eb6bd9ae08152f8c69cebdb273adff1ea2cae59fd0d575013e0b483a935cd1b

      SHA512

      d79f025e658462b35a6e4961d503b9acccff6b16c220df5f51fee50de398a3667497721625ef046f1aecd8a5d75323f165d4874e834408a12ca9fb4efee4bebb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3793545.exe
      Filesize

      204KB

      MD5

      41ef8fdcbfc8408812afc32518a964ec

      SHA1

      85efcb7da7ebde71a09a6b62e592af0ec29d55bd

      SHA256

      3ad90962f37e1fd3882ec6e5b751cc832987733dac54548ac4cdfaddc50b5a88

      SHA512

      2911372edec85e15ce2c053f253268a71ea574207639e1954532066835f875a27dc852773fb4c77023ba39705fab4a00c943f6064f39893affa8b2f4d3ce6966

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3793545.exe
      Filesize

      204KB

      MD5

      41ef8fdcbfc8408812afc32518a964ec

      SHA1

      85efcb7da7ebde71a09a6b62e592af0ec29d55bd

      SHA256

      3ad90962f37e1fd3882ec6e5b751cc832987733dac54548ac4cdfaddc50b5a88

      SHA512

      2911372edec85e15ce2c053f253268a71ea574207639e1954532066835f875a27dc852773fb4c77023ba39705fab4a00c943f6064f39893affa8b2f4d3ce6966

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4982016.exe
      Filesize

      13KB

      MD5

      64fef4cf6fc7cd982c1e3967385b6dc8

      SHA1

      30f307ad0ff6a2bf5c90743f09fb2b53705e9660

      SHA256

      f7ce92d9f78ff144184570d99e5951f58f6f3b8bcab899f785cea40643e43243

      SHA512

      b4875804448ce8d04f4b4138cf4228f25986f6e84bd0523706a4283def46be864ba07584019afbb7e52cb0b2dc997de0288f7062962c11a8515d12f1c1f0119c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4982016.exe
      Filesize

      13KB

      MD5

      64fef4cf6fc7cd982c1e3967385b6dc8

      SHA1

      30f307ad0ff6a2bf5c90743f09fb2b53705e9660

      SHA256

      f7ce92d9f78ff144184570d99e5951f58f6f3b8bcab899f785cea40643e43243

      SHA512

      b4875804448ce8d04f4b4138cf4228f25986f6e84bd0523706a4283def46be864ba07584019afbb7e52cb0b2dc997de0288f7062962c11a8515d12f1c1f0119c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6280654.exe
      Filesize

      120KB

      MD5

      6016a2fcdd2f1573842a6eeee63bbc66

      SHA1

      21e57f9fc5981098ab7380fc0a10233138f38996

      SHA256

      8ae6100ef275de8a5e65855f3d31affa515ed886b9b94bd15912eaabfe406443

      SHA512

      0ea701e3c1a047b6d2c82b701c875bd9719b94e22ca7ca4d0b6b557255f0ab59ff7b60a8a496508f1ebf930abd3ee59d6960fc45e9fbd99cb48bb7c50eebd42e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6280654.exe
      Filesize

      120KB

      MD5

      6016a2fcdd2f1573842a6eeee63bbc66

      SHA1

      21e57f9fc5981098ab7380fc0a10233138f38996

      SHA256

      8ae6100ef275de8a5e65855f3d31affa515ed886b9b94bd15912eaabfe406443

      SHA512

      0ea701e3c1a047b6d2c82b701c875bd9719b94e22ca7ca4d0b6b557255f0ab59ff7b60a8a496508f1ebf930abd3ee59d6960fc45e9fbd99cb48bb7c50eebd42e

      Download Submit
    • memory/3232-161-0x0000000000AB0000-0x0000000000ABA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3420-175-0x0000000000FB0000-0x0000000000FE0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3420-182-0x0000000005860000-0x0000000005870000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3420-176-0x0000000006090000-0x00000000066A8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3420-177-0x0000000005B80000-0x0000000005C8A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3420-178-0x0000000005840000-0x0000000005852000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3420-179-0x0000000005AB0000-0x0000000005AEC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3420-180-0x0000000005860000-0x0000000005870000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3420-189-0x0000000006B30000-0x0000000006B80000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3420-183-0x0000000002FF0000-0x0000000003066000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3420-184-0x0000000005970000-0x0000000005A02000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3420-185-0x0000000007050000-0x00000000075F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3420-186-0x0000000003070000-0x00000000030D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3420-187-0x0000000006E70000-0x0000000007032000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3420-188-0x0000000009220000-0x000000000974C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3816-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download