Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbcedc0103c49af7f41486ce288bde3494e61237a1a10b3c82652abe9b27fe19.exe

  • Size

    738KB

  • MD5

    20e036fe34492db89c534307af3a28ce

  • SHA1

    c1f2b31ad90e3386b6a4d91d7afa3dff7c29d645

  • SHA256

    bbcedc0103c49af7f41486ce288bde3494e61237a1a10b3c82652abe9b27fe19

  • SHA512

    305f8367e3487068448c68a80dc3bc65cf45a57b764c83ca565a656ae234dcde68ca9692a37bef29f491dab37f01c5c412727f7a5021ef3d4ce34e3cd80c53de

  • SSDEEP

    12288:BMr7y90SRF3rYJxVrvqxVLRKQKX8btTl0ChHir/A0jJbTZh7BVg:WyvjrYJx1OR28bj0UHAJbTJVg

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbcedc0103c49af7f41486ce288bde3494e61237a1a10b3c82652abe9b27fe19.exe
    "C:\Users\Admin\AppData\Local\Temp\bbcedc0103c49af7f41486ce288bde3494e61237a1a10b3c82652abe9b27fe19.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5162592.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5162592.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2949325.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2949325.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5519559.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5519559.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8993659.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8993659.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:400
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3379091.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3379091.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4200
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2716
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 152
              6⤵
              • Program crash
              PID:2468
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3530027.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3530027.exe
          4⤵
          • Executes dropped EXE
          PID:4840
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 4200
    1⤵
      PID:4192

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5162592.exe
      Filesize

      532KB

      MD5

      740879e1c2c98b085097c9e9b27da822

      SHA1

      3051528b0be5b7ca4d550a5dfe810b337eb77eb5

      SHA256

      d88f0c5d30e7fe9a6f9046c4e8094f629abf6b733e87b04fd6104a389c04b902

      SHA512

      6b69cbee104624a0b50bc26e83f5bab951bc8c121ad3d63ea87b82bbc445ab3d4ce4156993d44d3d0af8ca98054468bc792a518b7215a568f7ce6b2970be5267

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5162592.exe
      Filesize

      532KB

      MD5

      740879e1c2c98b085097c9e9b27da822

      SHA1

      3051528b0be5b7ca4d550a5dfe810b337eb77eb5

      SHA256

      d88f0c5d30e7fe9a6f9046c4e8094f629abf6b733e87b04fd6104a389c04b902

      SHA512

      6b69cbee104624a0b50bc26e83f5bab951bc8c121ad3d63ea87b82bbc445ab3d4ce4156993d44d3d0af8ca98054468bc792a518b7215a568f7ce6b2970be5267

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2949325.exe
      Filesize

      359KB

      MD5

      81b6a19e85c4f7d0cdce07a71e6872ce

      SHA1

      0c1b8c0d1370a7a6c740437bf6c59541ac5a8e64

      SHA256

      78e6568f2590fb79530dfe2480053e1818771970acedc24aae0a7c7770f49a54

      SHA512

      b7fc5be5816c238893d35d77a4ffa43ab478495a90ca4b8757d08a87c5ecf10423ff0ce69cd512df26e96f09a70fada73ccaf37bb0ddf90976d4b7fe5acf0b94

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2949325.exe
      Filesize

      359KB

      MD5

      81b6a19e85c4f7d0cdce07a71e6872ce

      SHA1

      0c1b8c0d1370a7a6c740437bf6c59541ac5a8e64

      SHA256

      78e6568f2590fb79530dfe2480053e1818771970acedc24aae0a7c7770f49a54

      SHA512

      b7fc5be5816c238893d35d77a4ffa43ab478495a90ca4b8757d08a87c5ecf10423ff0ce69cd512df26e96f09a70fada73ccaf37bb0ddf90976d4b7fe5acf0b94

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3530027.exe
      Filesize

      172KB

      MD5

      71d83720dc8dc98d888988166ffcfbc1

      SHA1

      93474c130c1b32ec1a8d6bc5596ea7bdb9e3bf33

      SHA256

      6dfb8daa5cd20bad333bb36b343afd46e64410b6b61e764abc3efecf172b748d

      SHA512

      9f0b69e8634e10632c0a6e4a583f8f082b9e1d58d7d71532fa2afa40d5795d294119916aa6bdcfafa262d64aa92ebcf3cf316cd365997284a70c34565fec3567

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3530027.exe
      Filesize

      172KB

      MD5

      71d83720dc8dc98d888988166ffcfbc1

      SHA1

      93474c130c1b32ec1a8d6bc5596ea7bdb9e3bf33

      SHA256

      6dfb8daa5cd20bad333bb36b343afd46e64410b6b61e764abc3efecf172b748d

      SHA512

      9f0b69e8634e10632c0a6e4a583f8f082b9e1d58d7d71532fa2afa40d5795d294119916aa6bdcfafa262d64aa92ebcf3cf316cd365997284a70c34565fec3567

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5519559.exe
      Filesize

      204KB

      MD5

      babec8b196886d51b337740368ec2e32

      SHA1

      d5244b8cd1c52d683d6d18ef45fd752ce0048246

      SHA256

      7ea8cd7cdf7325d410104c22efc862b60e884efdbf853742c51c90401b69d983

      SHA512

      ce8cbedcb81cc80b945a382a093916dd05ffa3cc54dda7615f90c76ef86eda2524bd07aa6129a48462c9f647d869a064746150c96fd0d688cd91bc9fbf1a1f16

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5519559.exe
      Filesize

      204KB

      MD5

      babec8b196886d51b337740368ec2e32

      SHA1

      d5244b8cd1c52d683d6d18ef45fd752ce0048246

      SHA256

      7ea8cd7cdf7325d410104c22efc862b60e884efdbf853742c51c90401b69d983

      SHA512

      ce8cbedcb81cc80b945a382a093916dd05ffa3cc54dda7615f90c76ef86eda2524bd07aa6129a48462c9f647d869a064746150c96fd0d688cd91bc9fbf1a1f16

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8993659.exe
      Filesize

      14KB

      MD5

      b97a43317aab4d19276f863f1ac8299d

      SHA1

      9522482cacbe8940e461b14dcb2be3f048cfce2a

      SHA256

      71e3a43b2340255fcc9e25013b40096e33f5a823bdac796facc5b0eaa1b6b440

      SHA512

      3ee980597516e1ca981561c610130e01840ecda26964ff42441f3b9f3101d166cc4ef2c5c118ef38aa0e0549cbec447625f86d85884ab203f598fde5c2f69747

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8993659.exe
      Filesize

      14KB

      MD5

      b97a43317aab4d19276f863f1ac8299d

      SHA1

      9522482cacbe8940e461b14dcb2be3f048cfce2a

      SHA256

      71e3a43b2340255fcc9e25013b40096e33f5a823bdac796facc5b0eaa1b6b440

      SHA512

      3ee980597516e1ca981561c610130e01840ecda26964ff42441f3b9f3101d166cc4ef2c5c118ef38aa0e0549cbec447625f86d85884ab203f598fde5c2f69747

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3379091.exe
      Filesize

      120KB

      MD5

      872268bc2d3d7c8f8b82e3be533fd93a

      SHA1

      6a7ae24e29e08c8f16c95b6e2c89426355dd3628

      SHA256

      9ddc36ed53be124c4523ea2ec238affbac0af0874d831608752a801b33ac3d50

      SHA512

      d33cea1fd360cad1bab3752b649ab28cec3d15d56b771f6f497ff183f6b63c8f810ba363ecd4eed08f329bf6a228e983013d29adcb65451267f37992e92cdb82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3379091.exe
      Filesize

      120KB

      MD5

      872268bc2d3d7c8f8b82e3be533fd93a

      SHA1

      6a7ae24e29e08c8f16c95b6e2c89426355dd3628

      SHA256

      9ddc36ed53be124c4523ea2ec238affbac0af0874d831608752a801b33ac3d50

      SHA512

      d33cea1fd360cad1bab3752b649ab28cec3d15d56b771f6f497ff183f6b63c8f810ba363ecd4eed08f329bf6a228e983013d29adcb65451267f37992e92cdb82

      Download Submit
    • memory/400-161-0x00000000002E0000-0x00000000002EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2716-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4840-175-0x0000000000A80000-0x0000000000AB0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4840-176-0x000000000AD80000-0x000000000B398000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4840-177-0x000000000A8C0000-0x000000000A9CA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4840-178-0x000000000A800000-0x000000000A812000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4840-179-0x000000000A860000-0x000000000A89C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4840-180-0x0000000002C00000-0x0000000002C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4840-182-0x0000000002C00000-0x0000000002C10000-memory.dmp
      Filesize

      64KB

      Download