Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a89db3d647f3d8cc40c699720597e7a0ab28181508cc895e6890b4738512d27.exe

  • Size

    738KB

  • MD5

    43cec344ceb337c221f534adcdaa2a65

  • SHA1

    93e14be40a09c497e870d4b2bcb220faa608596b

  • SHA256

    1a89db3d647f3d8cc40c699720597e7a0ab28181508cc895e6890b4738512d27

  • SHA512

    6d84bf7e2e137337ee08f1ef6f54017e60949bcec3246669107b6f8d7e1da4dc4a1de58c97c42d719da18da2df6caca6b41a737c36a069fb14984b1d1f76d81d

  • SSDEEP

    12288:SMrJy900wjsw+7c92icSzBaoykt5MNzNkDRyOy41yUxzqIVW90Od9tMSUbkLP+4t:XyHwjsFI4fKBaoya5SzNcAENqIV+9sbk

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a89db3d647f3d8cc40c699720597e7a0ab28181508cc895e6890b4738512d27.exe
    "C:\Users\Admin\AppData\Local\Temp\1a89db3d647f3d8cc40c699720597e7a0ab28181508cc895e6890b4738512d27.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9513864.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9513864.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2294295.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2294295.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9697210.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9697210.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1902467.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1902467.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2416
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9924498.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9924498.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:112
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 572
              6⤵
              • Program crash
              PID:4084
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3063589.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3063589.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4020 -ip 4020
    1⤵
      PID:3240

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9513864.exe
      Filesize

      531KB

      MD5

      2a3289f32c1886638d27028a95c15589

      SHA1

      2f0bddd84bd1a36b533fba122450ba928a774d34

      SHA256

      2021efdfdc5af53d7399b0272b56dd20cd8fbf5e82599ff116708b51385ff55c

      SHA512

      f6584e2a819e1848e0fc13eb0ddf7a99d418595588c1ac1469f81f22bf6ba02c4fddee24d5da58dfa81159b0c1a5d6e34b6cf79b900d780767609fca0ee789fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9513864.exe
      Filesize

      531KB

      MD5

      2a3289f32c1886638d27028a95c15589

      SHA1

      2f0bddd84bd1a36b533fba122450ba928a774d34

      SHA256

      2021efdfdc5af53d7399b0272b56dd20cd8fbf5e82599ff116708b51385ff55c

      SHA512

      f6584e2a819e1848e0fc13eb0ddf7a99d418595588c1ac1469f81f22bf6ba02c4fddee24d5da58dfa81159b0c1a5d6e34b6cf79b900d780767609fca0ee789fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2294295.exe
      Filesize

      359KB

      MD5

      26b68da47204e8c384d26d313c5d926f

      SHA1

      24f055595951e07fcdca57f680dde5b9689fe4be

      SHA256

      21a710f2fef28c3a7152410a7a060589c4223583107fb8327d6ec8e6a4ac6d15

      SHA512

      acb659d10a5310582bda383936c0a461c3a48de2639a485036b2e3003751e36771109c4f077bb87a4c25b34e2787cf267e5c9a05a74f5cd4cb8a084e094fb46e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2294295.exe
      Filesize

      359KB

      MD5

      26b68da47204e8c384d26d313c5d926f

      SHA1

      24f055595951e07fcdca57f680dde5b9689fe4be

      SHA256

      21a710f2fef28c3a7152410a7a060589c4223583107fb8327d6ec8e6a4ac6d15

      SHA512

      acb659d10a5310582bda383936c0a461c3a48de2639a485036b2e3003751e36771109c4f077bb87a4c25b34e2787cf267e5c9a05a74f5cd4cb8a084e094fb46e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3063589.exe
      Filesize

      172KB

      MD5

      3af058bc13a2a578e5e236944f469b96

      SHA1

      43662ff8638a02354f767f5a3675afbcc4ff38ff

      SHA256

      0df8910f0dfe57c644c302cc9a8ccea096cc9a35a86f488b487f718c44fcd31b

      SHA512

      0d647f8d0ef61c6e553afe318ff73ea5deab519989c21942af69f705b53aee1ef8598a402fc836755851d0c6ec4aca334869c904cf88388f887a385202c3d9bd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3063589.exe
      Filesize

      172KB

      MD5

      3af058bc13a2a578e5e236944f469b96

      SHA1

      43662ff8638a02354f767f5a3675afbcc4ff38ff

      SHA256

      0df8910f0dfe57c644c302cc9a8ccea096cc9a35a86f488b487f718c44fcd31b

      SHA512

      0d647f8d0ef61c6e553afe318ff73ea5deab519989c21942af69f705b53aee1ef8598a402fc836755851d0c6ec4aca334869c904cf88388f887a385202c3d9bd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9697210.exe
      Filesize

      204KB

      MD5

      9f1350226cbb7eda7394a0cb46918dc0

      SHA1

      e94c63548f93e0a5ce1e8584e5d285f85c6e7e6e

      SHA256

      f56c5d85aee141dd43d4e430cde060873e536c20bad4c2ec5573b990d10f9b47

      SHA512

      40a0f2f402e7a71183420dae85d4b7b60e18a362642088d3fc45549aa68315f06b2246087968c3d8975059fc687b1def3acd5eefa940fe1abaf7f79d891e8b32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9697210.exe
      Filesize

      204KB

      MD5

      9f1350226cbb7eda7394a0cb46918dc0

      SHA1

      e94c63548f93e0a5ce1e8584e5d285f85c6e7e6e

      SHA256

      f56c5d85aee141dd43d4e430cde060873e536c20bad4c2ec5573b990d10f9b47

      SHA512

      40a0f2f402e7a71183420dae85d4b7b60e18a362642088d3fc45549aa68315f06b2246087968c3d8975059fc687b1def3acd5eefa940fe1abaf7f79d891e8b32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1902467.exe
      Filesize

      14KB

      MD5

      10da334ea7457b04caef133e8860d90a

      SHA1

      7998abe433c3ad9c5c0fcd77338b292a1f54e321

      SHA256

      0adb47a65e3eb987bc550e60401b9e7a9eb3c5281e98df895310aaf3a0524d50

      SHA512

      073a648a800ab0a0884ecf0f34e00ac0a887c08e69b207d3bc929469b8f11326eb1be30c8a7687f1ec7ca2a8019d49602b72955328076be98c7bf2c4187ca009

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1902467.exe
      Filesize

      14KB

      MD5

      10da334ea7457b04caef133e8860d90a

      SHA1

      7998abe433c3ad9c5c0fcd77338b292a1f54e321

      SHA256

      0adb47a65e3eb987bc550e60401b9e7a9eb3c5281e98df895310aaf3a0524d50

      SHA512

      073a648a800ab0a0884ecf0f34e00ac0a887c08e69b207d3bc929469b8f11326eb1be30c8a7687f1ec7ca2a8019d49602b72955328076be98c7bf2c4187ca009

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9924498.exe
      Filesize

      120KB

      MD5

      acf0f703fb314746fd06e71ca8af4f02

      SHA1

      fdd4bc36be023bce620c1d4ce4c5fd0d243f145e

      SHA256

      45abf307899f45adea895a44ed2be8eded2ee7b705ad36858bee5b16ed23c65d

      SHA512

      12e288a7866c4b407c9efa00a65787b3e9977aa59dc80ab276b1539cc6baadef3f60225d9bfd363e2520d6c55b2f4521238056040d2480f107a9d68e6878155d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9924498.exe
      Filesize

      120KB

      MD5

      acf0f703fb314746fd06e71ca8af4f02

      SHA1

      fdd4bc36be023bce620c1d4ce4c5fd0d243f145e

      SHA256

      45abf307899f45adea895a44ed2be8eded2ee7b705ad36858bee5b16ed23c65d

      SHA512

      12e288a7866c4b407c9efa00a65787b3e9977aa59dc80ab276b1539cc6baadef3f60225d9bfd363e2520d6c55b2f4521238056040d2480f107a9d68e6878155d

      Download Submit
    • memory/112-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2416-161-0x0000000000130000-0x000000000013A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2748-175-0x0000000000FE0000-0x0000000001010000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2748-176-0x000000000B2E0000-0x000000000B8F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2748-177-0x000000000AE20000-0x000000000AF2A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2748-178-0x000000000AD60000-0x000000000AD72000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2748-179-0x000000000ADC0000-0x000000000ADFC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2748-180-0x0000000005830000-0x0000000005840000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2748-182-0x0000000005830000-0x0000000005840000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2748-183-0x0000000002F60000-0x0000000002FD6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2748-184-0x000000000B240000-0x000000000B2D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2748-185-0x000000000C0B0000-0x000000000C654000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2748-186-0x000000000BB00000-0x000000000BB66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2748-187-0x000000000BEF0000-0x000000000BF40000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2748-188-0x000000000C830000-0x000000000C9F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2748-189-0x000000000CF30000-0x000000000D45C000-memory.dmp
      Filesize

      5.2MB

      Download