Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe

  • Size

    734KB

  • MD5

    b5cb9a4b76f6dfd9264504f976b8582d

  • SHA1

    c8b21b12f9849f6b5ddd0903d259f5b80275d0fc

  • SHA256

    8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175

  • SHA512

    fd141f9ebd5441cac42691d9ec9e46b62b405f736b4ef4c3c44f801f040e852a65106fbfdca2d56b44fd39bea693a0b555de041e64fc9bba18ebfccdc0a32131

  • SSDEEP

    12288:2MrjBy90JbYz/kDqodUFVCNlFffHJhNJ7b3KMcYLaXE+jMVVqftxG2SxA:5By4U72qCUQFf1J7wY8JMnqrGJxA

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe
    "C:\Users\Admin\AppData\Local\Temp\8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2316
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3472
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3528
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 140
              6⤵
              • Program crash
              PID:216
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4616
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3472 -ip 3472
    1⤵
      PID:5084

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      Filesize

      530KB

      MD5

      ae765ddfbeb7c875ef91204328eeb41d

      SHA1

      362dbd6df82f9c99fa0ed5dc6bf8f68ea626728b

      SHA256

      5cd8f9dfea6d323ee811ce6fa0617e6f65e78e7169cf48f49a73e0e8bda93191

      SHA512

      576a16d3249d15e6b90e46bffd37b5578bb570ab81860a898a8e3ec44126cc18fd8ed3f2d3b69cb4fe085c46391882306b69d258e0c75ed5de669f95400e3e81

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      Filesize

      530KB

      MD5

      ae765ddfbeb7c875ef91204328eeb41d

      SHA1

      362dbd6df82f9c99fa0ed5dc6bf8f68ea626728b

      SHA256

      5cd8f9dfea6d323ee811ce6fa0617e6f65e78e7169cf48f49a73e0e8bda93191

      SHA512

      576a16d3249d15e6b90e46bffd37b5578bb570ab81860a898a8e3ec44126cc18fd8ed3f2d3b69cb4fe085c46391882306b69d258e0c75ed5de669f95400e3e81

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
      Filesize

      358KB

      MD5

      5eaef42842b5a7fd6e9f69cd39554174

      SHA1

      d831b1ca87310a7f6e6bd8671e8b64a043b0c0e1

      SHA256

      cdaaa5fc791100decea31f408d56a473d914216f0eeb23e72064d2dd1177614f

      SHA512

      2b6f0c5aad8082d8e88226057f8ee6959ed60f9b47346a60c74770faeb3b59b2eb2ccfef8662d80c474ac42195a9300becea238aa7be29d8736d251d17cdd80f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
      Filesize

      358KB

      MD5

      5eaef42842b5a7fd6e9f69cd39554174

      SHA1

      d831b1ca87310a7f6e6bd8671e8b64a043b0c0e1

      SHA256

      cdaaa5fc791100decea31f408d56a473d914216f0eeb23e72064d2dd1177614f

      SHA512

      2b6f0c5aad8082d8e88226057f8ee6959ed60f9b47346a60c74770faeb3b59b2eb2ccfef8662d80c474ac42195a9300becea238aa7be29d8736d251d17cdd80f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
      Filesize

      172KB

      MD5

      1be663d1abc8c80466b6983f4c6c03c1

      SHA1

      875838e1ca4bd688eda6e64e29c0f759b2914a4d

      SHA256

      813a9f5b35c768cb95326fc2a109fabf70711dd635b1aa62b5d3d2c5a343b2d5

      SHA512

      a83cbe87d8f83567fa9235d6e6bb8fc7d42a964940b824bebd5b130c3ae09c1d174dad8ff01f3e3b3d86c1f9fd66b1fe8bbbe78a40d5904a6156c85c602b8780

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
      Filesize

      172KB

      MD5

      1be663d1abc8c80466b6983f4c6c03c1

      SHA1

      875838e1ca4bd688eda6e64e29c0f759b2914a4d

      SHA256

      813a9f5b35c768cb95326fc2a109fabf70711dd635b1aa62b5d3d2c5a343b2d5

      SHA512

      a83cbe87d8f83567fa9235d6e6bb8fc7d42a964940b824bebd5b130c3ae09c1d174dad8ff01f3e3b3d86c1f9fd66b1fe8bbbe78a40d5904a6156c85c602b8780

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
      Filesize

      203KB

      MD5

      37d5ddc6cf56e656a7c57efa3664b016

      SHA1

      74f2ddfe3943eaf0c1a6fc36697fadf31e084f52

      SHA256

      e7a8e5b30485af6190adfdae236dfc126da8e707df8b0e75bb63608a614cb4f0

      SHA512

      3ffca4b5385638e96d479d609b92ba1d03fc83cd08148cd78ff0c9530ddd543db2aba1151eedd3b784697a44ffb44cc8103eaf3a97df7f0e5b5bde9ac71c5a82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
      Filesize

      203KB

      MD5

      37d5ddc6cf56e656a7c57efa3664b016

      SHA1

      74f2ddfe3943eaf0c1a6fc36697fadf31e084f52

      SHA256

      e7a8e5b30485af6190adfdae236dfc126da8e707df8b0e75bb63608a614cb4f0

      SHA512

      3ffca4b5385638e96d479d609b92ba1d03fc83cd08148cd78ff0c9530ddd543db2aba1151eedd3b784697a44ffb44cc8103eaf3a97df7f0e5b5bde9ac71c5a82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
      Filesize

      14KB

      MD5

      2869e46b33ece6f0afd03fbad7bb338d

      SHA1

      784a9d3e212d059795b2981068f98fc2e6703f1a

      SHA256

      2288b47b9dc1f8865e567d06e05e480f9d8bc43d290e0c3922f96fbd420e5509

      SHA512

      e24eccbd38fe164000cd2b7d6e6c557263cdeaa7668449bf21b8df93ef7374a6979f7ba1cdef66d2e82a18f3567f738dbf4b2ceebaad6a1140305185a47ed520

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
      Filesize

      14KB

      MD5

      2869e46b33ece6f0afd03fbad7bb338d

      SHA1

      784a9d3e212d059795b2981068f98fc2e6703f1a

      SHA256

      2288b47b9dc1f8865e567d06e05e480f9d8bc43d290e0c3922f96fbd420e5509

      SHA512

      e24eccbd38fe164000cd2b7d6e6c557263cdeaa7668449bf21b8df93ef7374a6979f7ba1cdef66d2e82a18f3567f738dbf4b2ceebaad6a1140305185a47ed520

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
      Filesize

      120KB

      MD5

      b03d4dbc407b835c9113153feae96078

      SHA1

      d33963e90b1581dc473127acd7b87d9d4213fbff

      SHA256

      16ff41b160e7e51c6975efed48c52cc5c223c3c7c9c114e07e52638818c71cc6

      SHA512

      e8f5977d6dd74bfece120c5e208b4ae3a79bf86446e7a9fa3d9c6d7d8e3a8632210cccbc844196639ee9ada0546254561cba4dfa48c8dfc301fb5f82f806c5aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
      Filesize

      120KB

      MD5

      b03d4dbc407b835c9113153feae96078

      SHA1

      d33963e90b1581dc473127acd7b87d9d4213fbff

      SHA256

      16ff41b160e7e51c6975efed48c52cc5c223c3c7c9c114e07e52638818c71cc6

      SHA512

      e8f5977d6dd74bfece120c5e208b4ae3a79bf86446e7a9fa3d9c6d7d8e3a8632210cccbc844196639ee9ada0546254561cba4dfa48c8dfc301fb5f82f806c5aa

      Download Submit
    • memory/2316-161-0x0000000000DF0000-0x0000000000DFA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3528-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4616-175-0x00000000009D0000-0x0000000000A00000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4616-176-0x000000000AC90000-0x000000000B2A8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4616-177-0x000000000A810000-0x000000000A91A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4616-178-0x000000000A750000-0x000000000A762000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4616-179-0x000000000A7B0000-0x000000000A7EC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4616-180-0x00000000052E0000-0x00000000052F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4616-181-0x000000000AAC0000-0x000000000AB36000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4616-182-0x000000000ABE0000-0x000000000AC72000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4616-183-0x000000000B860000-0x000000000BE04000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4616-184-0x000000000B3B0000-0x000000000B416000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4616-185-0x000000000B7E0000-0x000000000B830000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4616-187-0x00000000052E0000-0x00000000052F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4616-188-0x000000000C0E0000-0x000000000C2A2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4616-189-0x000000000C7E0000-0x000000000CD0C000-memory.dmp
      Filesize

      5.2MB

      Download