Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2023, 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe

  • Size

    738KB

  • MD5

    f634793c58e32402a29c27eed52abe14

  • SHA1

    81eb03cf0815ce31017e1bd37ac0f859f520f14c

  • SHA256

    f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60

  • SHA512

    8e739445af721fdda21f362d49cdf6a2bf61560b6af85bfbbd64b72c06d4a51cbf0ff44eface619c0aca6d8b785d6ef473dd4a3cacbbfb461d8c9565d91fc30f

  • SSDEEP

    12288:VMrHy90we9cWZFNaYGEP4+6KPbJtA0xE1UnIM42l1pYTcDxxUPKjhr6SK1r1:WyY3ZqYG7stAvUnIM4lYIPKjl6H1Z

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe
    "C:\Users\Admin\AppData\Local\Temp\f0e91b5625708f63a08390c23ace26004725476b5c679198241f6282a5e43e60.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:388
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2328
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 560
              6⤵
              • Program crash
              PID:3920
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2032
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4832
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2648 -ip 2648
    1⤵
      PID:4532

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exe
      Filesize

      531KB

      MD5

      8730e98b94bcd0f2e6e14148f80d40bc

      SHA1

      7db7a9f6883ed40306672a854ee76915336f30ae

      SHA256

      f68554594ec7e11056ee93b4ee9dc5c4582e37fb904163bf7dad252b784e4b30

      SHA512

      116578a2032c96224cd0c1fa83cbf2b55250cbf74e50909e76cf58dbbc4ea9a02d0b692c057d0ab94411fbf494ab071a21d65c30b5937382ba662954249a32d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4575467.exe
      Filesize

      531KB

      MD5

      8730e98b94bcd0f2e6e14148f80d40bc

      SHA1

      7db7a9f6883ed40306672a854ee76915336f30ae

      SHA256

      f68554594ec7e11056ee93b4ee9dc5c4582e37fb904163bf7dad252b784e4b30

      SHA512

      116578a2032c96224cd0c1fa83cbf2b55250cbf74e50909e76cf58dbbc4ea9a02d0b692c057d0ab94411fbf494ab071a21d65c30b5937382ba662954249a32d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exe
      Filesize

      359KB

      MD5

      10a396856099f237d80da3b18b4ad71f

      SHA1

      b0af77f9f9fa47c1f13acf7220367f8cf156b0ea

      SHA256

      b9de37e9e4670e982be798711de45d3612805752080c47c29b6bcd6d4b10d55f

      SHA512

      ae73e2f828fb931f78736d086f8e9781e5940a57bd92cee9aa5166dfb4ea8a046b82e9e439d9337f882c75398c580d67d13d228f497c66c1d104508a9cfd7d3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6662005.exe
      Filesize

      359KB

      MD5

      10a396856099f237d80da3b18b4ad71f

      SHA1

      b0af77f9f9fa47c1f13acf7220367f8cf156b0ea

      SHA256

      b9de37e9e4670e982be798711de45d3612805752080c47c29b6bcd6d4b10d55f

      SHA512

      ae73e2f828fb931f78736d086f8e9781e5940a57bd92cee9aa5166dfb4ea8a046b82e9e439d9337f882c75398c580d67d13d228f497c66c1d104508a9cfd7d3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exe
      Filesize

      172KB

      MD5

      98b7a229e10a9b04d2ede40124fc2221

      SHA1

      8efb2256d2c267cc152d54887e64854314462797

      SHA256

      42845aed315f191fed05d14004b9296ad0acee246cb8f21642b9a43efae8e63d

      SHA512

      ed09af41f8df242d262cdcea97330fd7b32f2777e5a5b5deeb36fad8dd9d227f23c9ac2ecc5c88e2707894437af32f85b714860740543e5c651166fa2d4ef158

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7776077.exe
      Filesize

      172KB

      MD5

      98b7a229e10a9b04d2ede40124fc2221

      SHA1

      8efb2256d2c267cc152d54887e64854314462797

      SHA256

      42845aed315f191fed05d14004b9296ad0acee246cb8f21642b9a43efae8e63d

      SHA512

      ed09af41f8df242d262cdcea97330fd7b32f2777e5a5b5deeb36fad8dd9d227f23c9ac2ecc5c88e2707894437af32f85b714860740543e5c651166fa2d4ef158

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exe
      Filesize

      203KB

      MD5

      198fd07c6445abd12e0c96cca28a542a

      SHA1

      11ddef31934e1030f0b2c2bc74345a2ff7b922bc

      SHA256

      b3bbc428e61c05f8964c55f843f52c2d4d49b1fc520df633a47d5a4e61ae9b5e

      SHA512

      8983e8dff69099f131e440337985716b1a4497c1fcb30113857a74754dd780f0534b2ac7b99df79942e836e14536000989174fa5e8511475037704168a7b822e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9717969.exe
      Filesize

      203KB

      MD5

      198fd07c6445abd12e0c96cca28a542a

      SHA1

      11ddef31934e1030f0b2c2bc74345a2ff7b922bc

      SHA256

      b3bbc428e61c05f8964c55f843f52c2d4d49b1fc520df633a47d5a4e61ae9b5e

      SHA512

      8983e8dff69099f131e440337985716b1a4497c1fcb30113857a74754dd780f0534b2ac7b99df79942e836e14536000989174fa5e8511475037704168a7b822e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exe
      Filesize

      120KB

      MD5

      d53eed66cc91b6e6a17ef4dbd48941db

      SHA1

      4b569408824995114d9f2345aa59ba4cfe0b57c6

      SHA256

      65924c1f0f7e318fd20f382547391cb746bb9e2a621e54726608279a25190780

      SHA512

      b9298e62a019c16c1d3388a75ee85614194c80db8eec754cf6eb7dd562a546606714e1528d513d9d025b9e0225d0c8c161122d822e67524b506d950e7d0204bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j4604310.exe
      Filesize

      120KB

      MD5

      d53eed66cc91b6e6a17ef4dbd48941db

      SHA1

      4b569408824995114d9f2345aa59ba4cfe0b57c6

      SHA256

      65924c1f0f7e318fd20f382547391cb746bb9e2a621e54726608279a25190780

      SHA512

      b9298e62a019c16c1d3388a75ee85614194c80db8eec754cf6eb7dd562a546606714e1528d513d9d025b9e0225d0c8c161122d822e67524b506d950e7d0204bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exe
      Filesize

      14KB

      MD5

      29b0bb8fb33fe5ab4397c86f17eab2b9

      SHA1

      3237d20992f9345c386323bce9831f506dce92e7

      SHA256

      9e991c7b04387247d471ef52fe006ac6d7a1586069745c5215cd1b71093336db

      SHA512

      d736110fe5b22cc1ecc7d4cdde356612cb595a737c34e39ebf64fc2fade55eb841390c01a092a6f4da897994e71f60a30f62879eb9827828bad945dfc8e538b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5753626.exe
      Filesize

      14KB

      MD5

      29b0bb8fb33fe5ab4397c86f17eab2b9

      SHA1

      3237d20992f9345c386323bce9831f506dce92e7

      SHA256

      9e991c7b04387247d471ef52fe006ac6d7a1586069745c5215cd1b71093336db

      SHA512

      d736110fe5b22cc1ecc7d4cdde356612cb595a737c34e39ebf64fc2fade55eb841390c01a092a6f4da897994e71f60a30f62879eb9827828bad945dfc8e538b0

      Download Submit

    • memory/2032-170-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2328-162-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4832-176-0x0000000000B40000-0x0000000000B70000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4832-177-0x000000000AF90000-0x000000000B5A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4832-178-0x000000000AAC0000-0x000000000ABCA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4832-179-0x000000000AA00000-0x000000000AA12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4832-180-0x00000000054E0000-0x00000000054F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4832-181-0x000000000AA60000-0x000000000AA9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4832-182-0x000000000AD70000-0x000000000ADE6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4832-183-0x000000000AE90000-0x000000000AF22000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4832-184-0x000000000ADF0000-0x000000000AE56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4832-185-0x000000000BF60000-0x000000000C504000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4832-186-0x000000000BD40000-0x000000000BF02000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4832-187-0x000000000CA40000-0x000000000CF6C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4832-188-0x000000000BCA0000-0x000000000BCF0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4832-189-0x00000000054E0000-0x00000000054F0000-memory.dmp

      Filesize

      64KB

      Download