Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe

  • Size

    738KB

  • MD5

    a6e092032d6863b2526c26a205477a84

  • SHA1

    b1d8b8cfcc1edda4a3a8dc4ceac46e16297351b4

  • SHA256

    6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa

  • SHA512

    a1311c4fa4844ef3cbe9d557b8c9326e39deea1fa087fab203ff894d1d25cc161600be9d7e9d99900e78af3d268cae8ba7eaadca0115050d934dc04bab435eaf

  • SSDEEP

    12288:nMrjy90xzPTmiEJ+5JK0ClOBaKia+hZ2om0qmM0kQU1y8CahJsDzM7j4NiHnNdX:cy4zPTmh053ClxatOnmD3sE7j4Nif

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe
    "C:\Users\Admin\AppData\Local\Temp\6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1872
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 140
              6⤵
              • Program crash
              PID:1136
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4240
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4172 -ip 4172
    1⤵
      PID:4372

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exe
      Filesize

      531KB

      MD5

      d0520ea6ebd3012ac98072195ab6beec

      SHA1

      77f46d54e8eb0cac816f0604ba7450f0385bc777

      SHA256

      1ec6d44258ab366fa6a6c1d1e8ca4bcaf2ae08621281d0a998023be7e6b0f6e5

      SHA512

      3f6ed5937cdb91fecb312e935d6310706b19e990c0e8f471313d81d693784f861d1e0cd09e958c1c99b1dda7f7978bd666ce45a76f64f30bca45277327b0dce9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exe
      Filesize

      531KB

      MD5

      d0520ea6ebd3012ac98072195ab6beec

      SHA1

      77f46d54e8eb0cac816f0604ba7450f0385bc777

      SHA256

      1ec6d44258ab366fa6a6c1d1e8ca4bcaf2ae08621281d0a998023be7e6b0f6e5

      SHA512

      3f6ed5937cdb91fecb312e935d6310706b19e990c0e8f471313d81d693784f861d1e0cd09e958c1c99b1dda7f7978bd666ce45a76f64f30bca45277327b0dce9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exe
      Filesize

      359KB

      MD5

      c4000fbe64c5542773e6c764f41c5a3b

      SHA1

      5575fa3e4502553815f2b26bdb279fefc69ce34d

      SHA256

      3ce6f37758bc1c708ad11edd878453485512ad6357dc4e55f3897a843a79b193

      SHA512

      71d05bacda6047b43dcfde944fae3cb92c9274bda2e39342861eaec88b4e3ace0225efe58d206543127b744cc433e5d8f8ef407570152ec0fad461c72bcc0607

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exe
      Filesize

      359KB

      MD5

      c4000fbe64c5542773e6c764f41c5a3b

      SHA1

      5575fa3e4502553815f2b26bdb279fefc69ce34d

      SHA256

      3ce6f37758bc1c708ad11edd878453485512ad6357dc4e55f3897a843a79b193

      SHA512

      71d05bacda6047b43dcfde944fae3cb92c9274bda2e39342861eaec88b4e3ace0225efe58d206543127b744cc433e5d8f8ef407570152ec0fad461c72bcc0607

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exe
      Filesize

      172KB

      MD5

      3aa0c0354a38ae841c7f876df830cf51

      SHA1

      777ec7fa72c4a0766bb4565a1dcc5a9a2d2438c3

      SHA256

      84e57261462ec8bc4766511d432b15298105877213992c934f33374314ed6694

      SHA512

      50f6a06ee2549290b291ca25a8ddbe484aef8ad94465327b78e6ce0bb39b4fea1b476792d66a343ed52dd95ef62f3175310a695bb0f15c8e8528a36795f09a5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exe
      Filesize

      172KB

      MD5

      3aa0c0354a38ae841c7f876df830cf51

      SHA1

      777ec7fa72c4a0766bb4565a1dcc5a9a2d2438c3

      SHA256

      84e57261462ec8bc4766511d432b15298105877213992c934f33374314ed6694

      SHA512

      50f6a06ee2549290b291ca25a8ddbe484aef8ad94465327b78e6ce0bb39b4fea1b476792d66a343ed52dd95ef62f3175310a695bb0f15c8e8528a36795f09a5b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exe
      Filesize

      204KB

      MD5

      ff7d2def9cfc51d701e4d0edd08cb6c7

      SHA1

      f0e03def4b451d9a34d8683bc5454b089412fafe

      SHA256

      01d9223d55369cf59cf9d7403c975dfca6e1cca790e904e41f18c53721f8459a

      SHA512

      2657498898c9736db74801f3a869f1fa7cccb9e6a9d3cac1eb59ff1c2235267a28e3110ad2bc7b9d3ed6bc979a642b78749611fca00adf26b1b9a00fc61753bc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exe
      Filesize

      204KB

      MD5

      ff7d2def9cfc51d701e4d0edd08cb6c7

      SHA1

      f0e03def4b451d9a34d8683bc5454b089412fafe

      SHA256

      01d9223d55369cf59cf9d7403c975dfca6e1cca790e904e41f18c53721f8459a

      SHA512

      2657498898c9736db74801f3a869f1fa7cccb9e6a9d3cac1eb59ff1c2235267a28e3110ad2bc7b9d3ed6bc979a642b78749611fca00adf26b1b9a00fc61753bc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exe
      Filesize

      13KB

      MD5

      5820ec43b01659b39e500c7265a72ff1

      SHA1

      12635061fd3962cbc36afeed146a8ecaae6116d1

      SHA256

      c5d3a2b5b88a9d2198f942772923effbb775b9199449179e6ccbc47fc2bc2cae

      SHA512

      4f8d8c2e3c5f58f8aa9649ff4adb8b11c15c3121f0890e679f46a3639e9fccaf39fd4c669c680934df4a748505d5487e463c3419a6796bc5f498f89b2ded7bd6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exe
      Filesize

      13KB

      MD5

      5820ec43b01659b39e500c7265a72ff1

      SHA1

      12635061fd3962cbc36afeed146a8ecaae6116d1

      SHA256

      c5d3a2b5b88a9d2198f942772923effbb775b9199449179e6ccbc47fc2bc2cae

      SHA512

      4f8d8c2e3c5f58f8aa9649ff4adb8b11c15c3121f0890e679f46a3639e9fccaf39fd4c669c680934df4a748505d5487e463c3419a6796bc5f498f89b2ded7bd6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exe
      Filesize

      120KB

      MD5

      a4dc27de06ac2f262981e05c54c09c23

      SHA1

      78861e5d74076493cec31bf21fb7d84ff29fe45e

      SHA256

      8faae76d80764561c7c682e8293b4957fbdc58665eee1b33d730770214c61d33

      SHA512

      d1f14625497970effe80ee0cda62948a14d9f0b810a691e07d0f8dc0177cb96286cd86d880065dda61604c36c22d3f58b9450c734be46fc82234a23625d40e76

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exe
      Filesize

      120KB

      MD5

      a4dc27de06ac2f262981e05c54c09c23

      SHA1

      78861e5d74076493cec31bf21fb7d84ff29fe45e

      SHA256

      8faae76d80764561c7c682e8293b4957fbdc58665eee1b33d730770214c61d33

      SHA512

      d1f14625497970effe80ee0cda62948a14d9f0b810a691e07d0f8dc0177cb96286cd86d880065dda61604c36c22d3f58b9450c734be46fc82234a23625d40e76

      Download Submit
    • memory/1872-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2192-161-0x00000000008F0000-0x00000000008FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4240-175-0x0000000000C40000-0x0000000000C70000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4240-176-0x0000000005BE0000-0x00000000061F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4240-177-0x00000000056D0000-0x00000000057DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4240-178-0x0000000005590000-0x00000000055A2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4240-179-0x0000000005600000-0x000000000563C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4240-180-0x00000000055B0000-0x00000000055C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4240-181-0x0000000005910000-0x0000000005986000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4240-182-0x0000000005A30000-0x0000000005AC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4240-183-0x0000000005990000-0x00000000059F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4240-184-0x0000000006CA0000-0x0000000007244000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4240-186-0x0000000006750000-0x00000000067A0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4240-187-0x0000000006AA0000-0x0000000006C62000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4240-188-0x0000000008E70000-0x000000000939C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4240-189-0x00000000055B0000-0x00000000055C0000-memory.dmp
      Filesize

      64KB

      Download