Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1948d73d252613238ba6edbe05d7c9d736bb78147eeb2de170231f72066211ba.exe

  • Size

    739KB

  • MD5

    08c34d7a3b8710a6500616800143a4bb

  • SHA1

    73cc95e35ff5aa5dbecc876dd3e99126ecff3b54

  • SHA256

    1948d73d252613238ba6edbe05d7c9d736bb78147eeb2de170231f72066211ba

  • SHA512

    f21f2d6e45092070c9505658ee1a12305354628ab09ce39767fab7ebdcad0a30d47aaa8bf27ca1af438a34286d4391e6bec3eb57248a904fdfd3b7703b32b0b6

  • SSDEEP

    12288:UMrWy900swcruRTW35f2nBFTmZPCu4evxOoMVxXYBoVG8Yb6HZjlH:yytswcraTot2BFTmZ/OhIBofYmjlH

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1948d73d252613238ba6edbe05d7c9d736bb78147eeb2de170231f72066211ba.exe
    "C:\Users\Admin\AppData\Local\Temp\1948d73d252613238ba6edbe05d7c9d736bb78147eeb2de170231f72066211ba.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7233150.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7233150.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582090.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582090.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4452
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7693349.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7693349.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4668
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8997518.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8997518.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4380
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5843083.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5843083.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4916
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1292
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 152
              6⤵
              • Program crash
              PID:216
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6979883.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6979883.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4152
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4916 -ip 4916
    1⤵
      PID:872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7233150.exe
      Filesize

      532KB

      MD5

      11e13823fc06074e75928f8d91283b52

      SHA1

      85e3a82e9305cd4aab6101b4235e86581654e13a

      SHA256

      acf4043ea2bd597cdafb4fae09f0d037180a817b1da0442724a03ccdb6970fc5

      SHA512

      a9e05ca03ff38ab2d6ac5bd9520f9b0fba1e6478ac699be0ac7a76916d7b10f4fd613b31dccda1bd949134a8a6b9034e0c248542bfbd353a645a28dd9f972ba5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7233150.exe
      Filesize

      532KB

      MD5

      11e13823fc06074e75928f8d91283b52

      SHA1

      85e3a82e9305cd4aab6101b4235e86581654e13a

      SHA256

      acf4043ea2bd597cdafb4fae09f0d037180a817b1da0442724a03ccdb6970fc5

      SHA512

      a9e05ca03ff38ab2d6ac5bd9520f9b0fba1e6478ac699be0ac7a76916d7b10f4fd613b31dccda1bd949134a8a6b9034e0c248542bfbd353a645a28dd9f972ba5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582090.exe
      Filesize

      359KB

      MD5

      5104b7df88965e1752439bae88700de9

      SHA1

      d973e7406803918ce35791087d3dc67aa710cb24

      SHA256

      5854bf15aa6f4f38aa5dc0d1f19d6e5a5b85915142cd151a6d7b5065f7be29a2

      SHA512

      3843b777ac4e012f855f79b5fc193ccb857c4b3f329f1ce777c745fba557e2330f9a4aa60ed3a27cf4243838f3971d566689f2b0471012c7752cb8cf8be0f4e0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582090.exe
      Filesize

      359KB

      MD5

      5104b7df88965e1752439bae88700de9

      SHA1

      d973e7406803918ce35791087d3dc67aa710cb24

      SHA256

      5854bf15aa6f4f38aa5dc0d1f19d6e5a5b85915142cd151a6d7b5065f7be29a2

      SHA512

      3843b777ac4e012f855f79b5fc193ccb857c4b3f329f1ce777c745fba557e2330f9a4aa60ed3a27cf4243838f3971d566689f2b0471012c7752cb8cf8be0f4e0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6979883.exe
      Filesize

      172KB

      MD5

      7778923012f1551c3e39b87ad830bcaf

      SHA1

      7abd0ccf3df5ba1c1d2d76647bdc30be8e6d79dc

      SHA256

      6f78874964d54a349627d0464ef474807a473e9cb1dbaf3996e1d790c5e453cf

      SHA512

      f2227e997ae76f61794fdc80a886212106958f84a30b6765c9f339074d4f61526274750efc727362e75d39777999b753496ea562d7e20b1d6eded56b2ad9df42

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6979883.exe
      Filesize

      172KB

      MD5

      7778923012f1551c3e39b87ad830bcaf

      SHA1

      7abd0ccf3df5ba1c1d2d76647bdc30be8e6d79dc

      SHA256

      6f78874964d54a349627d0464ef474807a473e9cb1dbaf3996e1d790c5e453cf

      SHA512

      f2227e997ae76f61794fdc80a886212106958f84a30b6765c9f339074d4f61526274750efc727362e75d39777999b753496ea562d7e20b1d6eded56b2ad9df42

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7693349.exe
      Filesize

      204KB

      MD5

      dfbb01e41b9acac899c0126e1dec679d

      SHA1

      dec3fb9bd4317b8c602119f965df0abc57d722f0

      SHA256

      ad40d3b54c37b775e7406c77f7baaf52f24e657f2fa9a6f41b62c6d7586374d7

      SHA512

      842d90ffa4835e80a24e6dbfb2ba7495e6c73ae1a82d8a982667c4604bb7d974fc3b8cb1864f71e61661f1268d7dfffa1d04e04a69a2b5ab69fba5cc8e0ec086

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7693349.exe
      Filesize

      204KB

      MD5

      dfbb01e41b9acac899c0126e1dec679d

      SHA1

      dec3fb9bd4317b8c602119f965df0abc57d722f0

      SHA256

      ad40d3b54c37b775e7406c77f7baaf52f24e657f2fa9a6f41b62c6d7586374d7

      SHA512

      842d90ffa4835e80a24e6dbfb2ba7495e6c73ae1a82d8a982667c4604bb7d974fc3b8cb1864f71e61661f1268d7dfffa1d04e04a69a2b5ab69fba5cc8e0ec086

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8997518.exe
      Filesize

      14KB

      MD5

      6989ab83a290fe6f7b385ea7e46e91d1

      SHA1

      43b585e7dab88cc9e46035ab994e424fb3b70687

      SHA256

      4b529bbfb552887229a650475ce70c0acbc37ddc8337b76a45b3e00d0e5f9cf8

      SHA512

      d4e5fa4014be238b0fa98f3ec18447cb0a6d282a5144abe3b4842a654c69dee6f536aeeac5ade5e2b06f0b27cc91464642401a38fd30e40986a3db327a8bf20c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8997518.exe
      Filesize

      14KB

      MD5

      6989ab83a290fe6f7b385ea7e46e91d1

      SHA1

      43b585e7dab88cc9e46035ab994e424fb3b70687

      SHA256

      4b529bbfb552887229a650475ce70c0acbc37ddc8337b76a45b3e00d0e5f9cf8

      SHA512

      d4e5fa4014be238b0fa98f3ec18447cb0a6d282a5144abe3b4842a654c69dee6f536aeeac5ade5e2b06f0b27cc91464642401a38fd30e40986a3db327a8bf20c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5843083.exe
      Filesize

      120KB

      MD5

      b7563c945c8cfaca2961fb48db3893aa

      SHA1

      256d60ba63b0990decdf62318e4db9f3c763027b

      SHA256

      3aef15cef84d62d6cdb0e2a6154ed75615261c490479344d7e4209683cc529f2

      SHA512

      f4b82b2415efbc5568b37c7fb40b8094de9423d3bd6dc4086febb5c4845b42e472b8881f517a2b3c9d4e50c72d1e540d2d0f0f330150700fd1711a58770c486a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5843083.exe
      Filesize

      120KB

      MD5

      b7563c945c8cfaca2961fb48db3893aa

      SHA1

      256d60ba63b0990decdf62318e4db9f3c763027b

      SHA256

      3aef15cef84d62d6cdb0e2a6154ed75615261c490479344d7e4209683cc529f2

      SHA512

      f4b82b2415efbc5568b37c7fb40b8094de9423d3bd6dc4086febb5c4845b42e472b8881f517a2b3c9d4e50c72d1e540d2d0f0f330150700fd1711a58770c486a

      Download Submit
    • memory/1292-167-0x0000000000570000-0x000000000057A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4152-175-0x0000000000BA0000-0x0000000000BD0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4152-182-0x0000000002C50000-0x0000000002C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4152-176-0x000000000AFA0000-0x000000000B5B8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4152-177-0x000000000AB20000-0x000000000AC2A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4152-178-0x000000000AA60000-0x000000000AA72000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4152-179-0x000000000AAC0000-0x000000000AAFC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4152-180-0x0000000002C50000-0x0000000002C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4152-189-0x000000000C9F0000-0x000000000CF1C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4152-183-0x0000000005290000-0x0000000005306000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4152-184-0x000000000A8D0000-0x000000000A962000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4152-185-0x000000000BB70000-0x000000000C114000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4152-186-0x0000000005310000-0x0000000005376000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4152-187-0x000000000AF40000-0x000000000AF90000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4152-188-0x000000000C2F0000-0x000000000C4B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4380-161-0x0000000000AB0000-0x0000000000ABA000-memory.dmp
      Filesize

      40KB

      Download