Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe

  • Size

    739KB

  • MD5

    ca9cc7d4b935c560cb7d48f85b3b32a2

  • SHA1

    407ceba8c3ddb5789a4c8f7127c16c8414acd919

  • SHA256

    e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3

  • SHA512

    c07cb6fb8a98bf7e0a42e186e40f7b61973d8327e4fcd49d88e806c5e9e9db0319e69c46084fdd22b89fbfa6ebbc560e3eae9e3a46c0542243332945bbb060d6

  • SSDEEP

    12288:wMrGy90+O4jEGHVW59ZJgblZ/gjghYDD3DHGGznGCfFT4awt:myxjEGsvZJUlZ/g0+D3JGMJmt

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe
    "C:\Users\Admin\AppData\Local\Temp\e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2004
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2268
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 140
              6⤵
              • Program crash
              PID:1620
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3048 -ip 3048
    1⤵
      PID:4428

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exe
      Filesize

      532KB

      MD5

      8e1656b25e495b0bfcb6fb36e7ffd612

      SHA1

      3c807f453ef42c3d39fb0e44d57031eb916e7773

      SHA256

      b142dc8ed5426b37b2ae094e57b10f6b5d13f858ba754121374f766ee84c47d1

      SHA512

      a49e3f4c67d483bd8288d896666bc34052a26699c527b89666c722f8f9a6b1579fe3f99c483330bab27611b4233dd2a9e06a4b4d64786e294c81eac7595dfd3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exe
      Filesize

      532KB

      MD5

      8e1656b25e495b0bfcb6fb36e7ffd612

      SHA1

      3c807f453ef42c3d39fb0e44d57031eb916e7773

      SHA256

      b142dc8ed5426b37b2ae094e57b10f6b5d13f858ba754121374f766ee84c47d1

      SHA512

      a49e3f4c67d483bd8288d896666bc34052a26699c527b89666c722f8f9a6b1579fe3f99c483330bab27611b4233dd2a9e06a4b4d64786e294c81eac7595dfd3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exe
      Filesize

      359KB

      MD5

      269f11c8dc7dcbbc1f518f25afdc3227

      SHA1

      79a2f6a56c58935a15b3f670c9117b1c38e02002

      SHA256

      de9732c83aec1975933940e1842af403ac9b97e27d01d7a15c837bdf947a89bd

      SHA512

      37e155505f6c5e8a8c278b92a34dd2b287f7c8dabafccacff89ca8308686d9274c72c1dcc9634dc6e2583ca0cc212286e9dbe6f06d31bef0804188ad229c2a3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exe
      Filesize

      359KB

      MD5

      269f11c8dc7dcbbc1f518f25afdc3227

      SHA1

      79a2f6a56c58935a15b3f670c9117b1c38e02002

      SHA256

      de9732c83aec1975933940e1842af403ac9b97e27d01d7a15c837bdf947a89bd

      SHA512

      37e155505f6c5e8a8c278b92a34dd2b287f7c8dabafccacff89ca8308686d9274c72c1dcc9634dc6e2583ca0cc212286e9dbe6f06d31bef0804188ad229c2a3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exe
      Filesize

      172KB

      MD5

      9d2d82dccd511d2878954383752254ed

      SHA1

      8a54aec262e24e8c1b23c2dd7cb50e33987dcf4a

      SHA256

      9f448b158b6b9a76a27f2d7e7de8b6a22c11e41782d86c28fac68e0ee3aeef16

      SHA512

      045b9696a9ce716975e6b373d4869187d016c2c7796874f84690b72112ea3d80a64c37c102759feee8d532e176d592cde84348f2fdf18ee84ebe3988acf93765

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exe
      Filesize

      172KB

      MD5

      9d2d82dccd511d2878954383752254ed

      SHA1

      8a54aec262e24e8c1b23c2dd7cb50e33987dcf4a

      SHA256

      9f448b158b6b9a76a27f2d7e7de8b6a22c11e41782d86c28fac68e0ee3aeef16

      SHA512

      045b9696a9ce716975e6b373d4869187d016c2c7796874f84690b72112ea3d80a64c37c102759feee8d532e176d592cde84348f2fdf18ee84ebe3988acf93765

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exe
      Filesize

      204KB

      MD5

      75e4b0dbf70e7bf181929bc640eba59f

      SHA1

      e7ff34992ffe3dc3e35c16b7a6a892e194af9a4d

      SHA256

      1138b4859bca923f4afdaa982ea5f1418d7dee55665802b04fe7ff5a5f081bec

      SHA512

      75e9e9a2365e1e8fbc560612d6f79fcafeac44bfd3f5123f0d382e1b98ceb11d6bffa532b960a67a6af2c0d29cc3a279b16adcf60998bd3e6ba8effb35c9db28

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exe
      Filesize

      204KB

      MD5

      75e4b0dbf70e7bf181929bc640eba59f

      SHA1

      e7ff34992ffe3dc3e35c16b7a6a892e194af9a4d

      SHA256

      1138b4859bca923f4afdaa982ea5f1418d7dee55665802b04fe7ff5a5f081bec

      SHA512

      75e9e9a2365e1e8fbc560612d6f79fcafeac44bfd3f5123f0d382e1b98ceb11d6bffa532b960a67a6af2c0d29cc3a279b16adcf60998bd3e6ba8effb35c9db28

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exe
      Filesize

      14KB

      MD5

      d534cda0868656e306bc2be731dd5e0d

      SHA1

      d7c2263ddad7a2ac15c28ae030ca33e5e05c590e

      SHA256

      5d63aa55328cfa50c7ff9143145fb25d3de8d1723adfcf5c8b62f3d85f65c20f

      SHA512

      05fdcbce8acbf06bb9fcd89c883f2b3ebf3ce74ae9a51fc96257df6ace3f0a9912bba18ffad9717575c39a6bc91c7b2c1e76c7f5f39dc2025d8f4f879512c564

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exe
      Filesize

      14KB

      MD5

      d534cda0868656e306bc2be731dd5e0d

      SHA1

      d7c2263ddad7a2ac15c28ae030ca33e5e05c590e

      SHA256

      5d63aa55328cfa50c7ff9143145fb25d3de8d1723adfcf5c8b62f3d85f65c20f

      SHA512

      05fdcbce8acbf06bb9fcd89c883f2b3ebf3ce74ae9a51fc96257df6ace3f0a9912bba18ffad9717575c39a6bc91c7b2c1e76c7f5f39dc2025d8f4f879512c564

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exe
      Filesize

      120KB

      MD5

      0f8f0c33b4a43e03fbd11fb90715457f

      SHA1

      a3f7dc42f9ab63d5f7b822e563ac63a789067e47

      SHA256

      31ce623bc15a82ca5a8b470a6c482c1ccb8dc4a82c11e2775d2a26e040064e1e

      SHA512

      ea20f5142ca6511f6b4c737af767522e5402efb7d5427d9253aa1f109564eff9e309a158b56a66eee971f485d60713be6e2c19a477ddfe476e90d78281245d99

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exe
      Filesize

      120KB

      MD5

      0f8f0c33b4a43e03fbd11fb90715457f

      SHA1

      a3f7dc42f9ab63d5f7b822e563ac63a789067e47

      SHA256

      31ce623bc15a82ca5a8b470a6c482c1ccb8dc4a82c11e2775d2a26e040064e1e

      SHA512

      ea20f5142ca6511f6b4c737af767522e5402efb7d5427d9253aa1f109564eff9e309a158b56a66eee971f485d60713be6e2c19a477ddfe476e90d78281245d99

      Download Submit
    • memory/2004-161-0x0000000000290000-0x000000000029A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2268-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5012-175-0x0000000000340000-0x0000000000370000-memory.dmp
      Filesize

      192KB

      Download
    • memory/5012-176-0x000000000A600000-0x000000000AC18000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/5012-177-0x000000000A180000-0x000000000A28A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/5012-178-0x000000000A0C0000-0x000000000A0D2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/5012-179-0x0000000000C20000-0x0000000000C30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-180-0x000000000A120000-0x000000000A15C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/5012-181-0x000000000A430000-0x000000000A4A6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5012-182-0x000000000A550000-0x000000000A5E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5012-183-0x000000000B1D0000-0x000000000B774000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5012-184-0x000000000AC20000-0x000000000AC86000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5012-185-0x000000000B950000-0x000000000BB12000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5012-186-0x000000000C050000-0x000000000C57C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/5012-188-0x0000000000C20000-0x0000000000C30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5012-189-0x000000000B900000-0x000000000B950000-memory.dmp
      Filesize

      320KB

      Download