Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ffddabff9efaf5eb811259dbe5ff03195a920e231e6805a9b74257c734ff019.exe

  • Size

    737KB

  • MD5

    108adb4fcdd3b1bdcea0a71d931180a9

  • SHA1

    8219f6cb3a0120ad2e852b08ee901560fef63b29

  • SHA256

    1ffddabff9efaf5eb811259dbe5ff03195a920e231e6805a9b74257c734ff019

  • SHA512

    4f775c1e9c4b23a609e740221e6e63823af345afbf168aa7ed14aba55c90b6f65de805426b9c724e2f22a6a0037f1abdeba28633106410ba77ae1bc37ad13dd4

  • SSDEEP

    12288:CMr8y90a1Qp9W4OZHFci6zIEkMrrsyvqiK7WjswGuGNunEu4R3mom4h4e:yySbOpFt6UEmy0Wju0+mX4ht

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ffddabff9efaf5eb811259dbe5ff03195a920e231e6805a9b74257c734ff019.exe
    "C:\Users\Admin\AppData\Local\Temp\1ffddabff9efaf5eb811259dbe5ff03195a920e231e6805a9b74257c734ff019.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8578198.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8578198.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5460474.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5460474.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8920264.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8920264.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:624
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9627532.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9627532.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:784
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8393277.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8393277.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4532
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 152
              6⤵
              • Program crash
              PID:2416
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0204683.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0204683.exe
          4⤵
          • Executes dropped EXE
          PID:1608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1752 -ip 1752
    1⤵
      PID:1928

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8578198.exe
      Filesize

      531KB

      MD5

      cf171fb02e2260af1a840cf97b85ca9c

      SHA1

      a684fa9dceab9c36068f872da0aabf586b139bbb

      SHA256

      c3f2e9b865580967b3a8cba4f8b42880346073e1836c3264112959aeb11cc53a

      SHA512

      f5e3bd1c8fa4b6690ed76f0c24644e8c8c3ff190d3dd48c76f794f1bbd5f44b49fddad7c3e10f06842de95cd8e34fcabacaa1628b19a571a8ad8ea7ebc115f86

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8578198.exe
      Filesize

      531KB

      MD5

      cf171fb02e2260af1a840cf97b85ca9c

      SHA1

      a684fa9dceab9c36068f872da0aabf586b139bbb

      SHA256

      c3f2e9b865580967b3a8cba4f8b42880346073e1836c3264112959aeb11cc53a

      SHA512

      f5e3bd1c8fa4b6690ed76f0c24644e8c8c3ff190d3dd48c76f794f1bbd5f44b49fddad7c3e10f06842de95cd8e34fcabacaa1628b19a571a8ad8ea7ebc115f86

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5460474.exe
      Filesize

      359KB

      MD5

      1622e834db9434b162b38a93fd125a91

      SHA1

      1d8e148338e4e2aa1f583527c6679556d6796776

      SHA256

      987507b78f0ffa0564bb9237be0ce4211763f798b364052af224134db912af36

      SHA512

      94ec021f370c4da5a6d15dec7248fe57ba457fd427c19ad4f74239ee22bef0141b2140377107474c05f242a3e945b8983a32cd1e9e4ef2784caaa118118e32b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5460474.exe
      Filesize

      359KB

      MD5

      1622e834db9434b162b38a93fd125a91

      SHA1

      1d8e148338e4e2aa1f583527c6679556d6796776

      SHA256

      987507b78f0ffa0564bb9237be0ce4211763f798b364052af224134db912af36

      SHA512

      94ec021f370c4da5a6d15dec7248fe57ba457fd427c19ad4f74239ee22bef0141b2140377107474c05f242a3e945b8983a32cd1e9e4ef2784caaa118118e32b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0204683.exe
      Filesize

      172KB

      MD5

      3e5b622e60d374b75fa20e73a42e7c59

      SHA1

      596453228752e26f1f4d5bd1d2bb3df45c3505e9

      SHA256

      8ab8494fcf02ef4efd0b8f5113b82930f8eacbb38b35da559c73e26e2adcec3e

      SHA512

      1c55385226db3c232129afdf462b7c5a007c3957af7669c5acf96c0c557c12a3e9d7d268477259d0ab29142ed49fc42882fe5f5af0aa97b504fe2af3fab16bee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0204683.exe
      Filesize

      172KB

      MD5

      3e5b622e60d374b75fa20e73a42e7c59

      SHA1

      596453228752e26f1f4d5bd1d2bb3df45c3505e9

      SHA256

      8ab8494fcf02ef4efd0b8f5113b82930f8eacbb38b35da559c73e26e2adcec3e

      SHA512

      1c55385226db3c232129afdf462b7c5a007c3957af7669c5acf96c0c557c12a3e9d7d268477259d0ab29142ed49fc42882fe5f5af0aa97b504fe2af3fab16bee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8920264.exe
      Filesize

      203KB

      MD5

      2c311ad2e9cb8d229a0e63956bcca4d5

      SHA1

      32e367653613992194f21fc543d31141a462e970

      SHA256

      c5c80dee52333ccf4d84dd042fad370c362655acb52ba951bdcd7c899a70b30b

      SHA512

      79f9e15466419660d24ee2c58cf0902f04bea76030c58f12f2aa6d711a1d3053e34b3ec0e8c9c7b223a6efa4a279b6c8e1a533c54d66619da972a94ec240f549

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8920264.exe
      Filesize

      203KB

      MD5

      2c311ad2e9cb8d229a0e63956bcca4d5

      SHA1

      32e367653613992194f21fc543d31141a462e970

      SHA256

      c5c80dee52333ccf4d84dd042fad370c362655acb52ba951bdcd7c899a70b30b

      SHA512

      79f9e15466419660d24ee2c58cf0902f04bea76030c58f12f2aa6d711a1d3053e34b3ec0e8c9c7b223a6efa4a279b6c8e1a533c54d66619da972a94ec240f549

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9627532.exe
      Filesize

      14KB

      MD5

      7096f4f04b13a72a77898aa25885228d

      SHA1

      e7a5d2785d2fdaa07af3404aad30a533270bb0d5

      SHA256

      967fec8e4941a64b2a4cff09431b330eb5ad72af68c1898fd8a02b7072f501a7

      SHA512

      a68c595b49774d2d8927f9ba108dabf9eb54e94578547f976d4cdae7249da6db32d7d1477a542f049bdd43dc74c5ea32e1e9bee6d70b59a744c6c23c0b48506e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9627532.exe
      Filesize

      14KB

      MD5

      7096f4f04b13a72a77898aa25885228d

      SHA1

      e7a5d2785d2fdaa07af3404aad30a533270bb0d5

      SHA256

      967fec8e4941a64b2a4cff09431b330eb5ad72af68c1898fd8a02b7072f501a7

      SHA512

      a68c595b49774d2d8927f9ba108dabf9eb54e94578547f976d4cdae7249da6db32d7d1477a542f049bdd43dc74c5ea32e1e9bee6d70b59a744c6c23c0b48506e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8393277.exe
      Filesize

      120KB

      MD5

      99d2a23fb892970c081a74133f7fbd06

      SHA1

      3cc09c988695257338a3647a488127152e688f72

      SHA256

      b5f65ca941a5fa3dc6da9000511250384944798038893498bcfe2c0a013b5192

      SHA512

      e96e7ba7a651f9d7202268091a15b55d0e81d581908aa73445265d4a11bf4b4e8ee21dafeb2e0d04df98b4901545c393b6e848160af985154140446eaba2dc48

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8393277.exe
      Filesize

      120KB

      MD5

      99d2a23fb892970c081a74133f7fbd06

      SHA1

      3cc09c988695257338a3647a488127152e688f72

      SHA256

      b5f65ca941a5fa3dc6da9000511250384944798038893498bcfe2c0a013b5192

      SHA512

      e96e7ba7a651f9d7202268091a15b55d0e81d581908aa73445265d4a11bf4b4e8ee21dafeb2e0d04df98b4901545c393b6e848160af985154140446eaba2dc48

      Download Submit
    • memory/784-161-0x0000000000E10000-0x0000000000E1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1608-175-0x0000000000F40000-0x0000000000F70000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1608-176-0x000000000B2A0000-0x000000000B8B8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1608-177-0x000000000AD90000-0x000000000AE9A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1608-178-0x000000000ACC0000-0x000000000ACD2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1608-179-0x000000000AD20000-0x000000000AD5C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1608-180-0x00000000057F0000-0x0000000005800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1608-182-0x00000000057F0000-0x0000000005800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4532-167-0x0000000000410000-0x000000000041A000-memory.dmp
      Filesize

      40KB

      Download