Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ab7561eafa0af660baf75555c2aa08772c6adce6a1928462cdd899ee2af6b65.exe

  • Size

    738KB

  • MD5

    ac62895c8a4bfe8892e375e840eb081c

  • SHA1

    4f86697a10b09fa9497c5a3a0b2efd4457d3474f

  • SHA256

    0ab7561eafa0af660baf75555c2aa08772c6adce6a1928462cdd899ee2af6b65

  • SHA512

    3825c4177feb9ff364adef3c114695c0d8c100f38b3fff542b61bbf2d8390fdca224b00a488efaa30ccfc590ccfe875c0e0d24cf289652e3c6d08dff7eae51c2

  • SSDEEP

    12288:3Mr8y90mOCdboazVOOtXogg0zRN7i2fxF8tQpABGDQJPbH9zxJ6j6yHFTVBxIHk:TyhlbozOtX3RN7L0WCPxzxk6yHF5+k

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ab7561eafa0af660baf75555c2aa08772c6adce6a1928462cdd899ee2af6b65.exe
    "C:\Users\Admin\AppData\Local\Temp\0ab7561eafa0af660baf75555c2aa08772c6adce6a1928462cdd899ee2af6b65.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8050797.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8050797.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3094102.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3094102.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5504874.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5504874.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4908898.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4908898.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0090665.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0090665.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1092
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 140
              6⤵
              • Program crash
              PID:496
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5405670.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5405670.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2424 -ip 2424
    1⤵
      PID:5088

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8050797.exe
      Filesize

      531KB

      MD5

      b83d957987a22873887e9f6049fcdbec

      SHA1

      046e14f21f1add81c7337ed555af82ef9bc1cab8

      SHA256

      52938d35779db4aa36dd845814c0c63091cdc97b7baadc392ca957f73aa03996

      SHA512

      7fb70dc40767b256b50e482902b4afe67308d0dc427c3649dcaaae7816d2663d278baeaace045ccbf0df38280fcfdbe60c171b6d057cff08328ed3d02f75d5f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8050797.exe
      Filesize

      531KB

      MD5

      b83d957987a22873887e9f6049fcdbec

      SHA1

      046e14f21f1add81c7337ed555af82ef9bc1cab8

      SHA256

      52938d35779db4aa36dd845814c0c63091cdc97b7baadc392ca957f73aa03996

      SHA512

      7fb70dc40767b256b50e482902b4afe67308d0dc427c3649dcaaae7816d2663d278baeaace045ccbf0df38280fcfdbe60c171b6d057cff08328ed3d02f75d5f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3094102.exe
      Filesize

      359KB

      MD5

      7f7ccbe607981680e047b61bb1ef6bbc

      SHA1

      f3e4d85f9e2f5d18c5dda79162587096421237fa

      SHA256

      f21e68d5c2e2e3e649b1a8f208e476e6ab23e1c7a7a22d07160cc69269cd58a5

      SHA512

      b0c9fb1664eb33edb3652719c8cbe40770f6eefb3d330bd36b0159d68a766b0a152c5d5b64dd24460559a994197729bff80bb6c18237d045b8b72a0b91fac4ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3094102.exe
      Filesize

      359KB

      MD5

      7f7ccbe607981680e047b61bb1ef6bbc

      SHA1

      f3e4d85f9e2f5d18c5dda79162587096421237fa

      SHA256

      f21e68d5c2e2e3e649b1a8f208e476e6ab23e1c7a7a22d07160cc69269cd58a5

      SHA512

      b0c9fb1664eb33edb3652719c8cbe40770f6eefb3d330bd36b0159d68a766b0a152c5d5b64dd24460559a994197729bff80bb6c18237d045b8b72a0b91fac4ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5405670.exe
      Filesize

      172KB

      MD5

      29f279d1d14787e6c3f148be1f7c0dd4

      SHA1

      ef064321bb279bb7c3f6c8fa565e673a92689dd3

      SHA256

      7085c3835393eff27bae9b076d465bf77587c3aa680bf55f60950b9e5b9df4b4

      SHA512

      0e34192c45a5a9a4e8bed63fd8da0c5a0651d74da30852ed31c83c8352b87ef7cf7ff639239cf6191f279b02b5ba5f288967878812e36b481f786593dced1d0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5405670.exe
      Filesize

      172KB

      MD5

      29f279d1d14787e6c3f148be1f7c0dd4

      SHA1

      ef064321bb279bb7c3f6c8fa565e673a92689dd3

      SHA256

      7085c3835393eff27bae9b076d465bf77587c3aa680bf55f60950b9e5b9df4b4

      SHA512

      0e34192c45a5a9a4e8bed63fd8da0c5a0651d74da30852ed31c83c8352b87ef7cf7ff639239cf6191f279b02b5ba5f288967878812e36b481f786593dced1d0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5504874.exe
      Filesize

      204KB

      MD5

      67069734274aad04d4c8f48367b17c42

      SHA1

      3b00efdeaf63f18f79957425d98cd0de8032fee1

      SHA256

      b32a3db1204c6901d0864781248298f324b9f053bd3119bfa1d4feee71d7e8c7

      SHA512

      904b5d6d885896e3746722c1d6d62579f1cf36511cf21758145e002da175dd39659dc2dd93bbb801981a91aa33dfce321bf5517ef1f7453dd4cdb06da07d3776

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5504874.exe
      Filesize

      204KB

      MD5

      67069734274aad04d4c8f48367b17c42

      SHA1

      3b00efdeaf63f18f79957425d98cd0de8032fee1

      SHA256

      b32a3db1204c6901d0864781248298f324b9f053bd3119bfa1d4feee71d7e8c7

      SHA512

      904b5d6d885896e3746722c1d6d62579f1cf36511cf21758145e002da175dd39659dc2dd93bbb801981a91aa33dfce321bf5517ef1f7453dd4cdb06da07d3776

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4908898.exe
      Filesize

      14KB

      MD5

      ecead8b97a811978d45c668979e6009d

      SHA1

      95d9b16ce53d3e064de65d10680950742d4b69d7

      SHA256

      2b13e1e423bb2ed815e21bfa96fdba6bbaec1c455a4e6ebebdc733db5cb26fd4

      SHA512

      08b2ffaabedcc8b79b7f69011f39b60e3a4c0b6421715a4d20ba4fadac23426d504aa10a1ade9c102c0e75ec87b8f751763951ac70f7c7b1d1b247a62dc0fc46

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4908898.exe
      Filesize

      14KB

      MD5

      ecead8b97a811978d45c668979e6009d

      SHA1

      95d9b16ce53d3e064de65d10680950742d4b69d7

      SHA256

      2b13e1e423bb2ed815e21bfa96fdba6bbaec1c455a4e6ebebdc733db5cb26fd4

      SHA512

      08b2ffaabedcc8b79b7f69011f39b60e3a4c0b6421715a4d20ba4fadac23426d504aa10a1ade9c102c0e75ec87b8f751763951ac70f7c7b1d1b247a62dc0fc46

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0090665.exe
      Filesize

      120KB

      MD5

      aa098b0c8d4b06764d56902a66e83452

      SHA1

      ff28417f1d3bd11a6de31c83363ed9d83c8c8293

      SHA256

      30dae2ebf8a254b553ea96b8ad63a198f7a3bfd3325f22c5f25c5c4a24a0c11b

      SHA512

      192038242e3447bd14c4cf5dbf0009b43ecdcb849d50cd689b3fa7f5c2d8e6d58d08d31128747c12e5c63153c3762d81bb616157815b6c5b4084f0c609c676f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0090665.exe
      Filesize

      120KB

      MD5

      aa098b0c8d4b06764d56902a66e83452

      SHA1

      ff28417f1d3bd11a6de31c83363ed9d83c8c8293

      SHA256

      30dae2ebf8a254b553ea96b8ad63a198f7a3bfd3325f22c5f25c5c4a24a0c11b

      SHA512

      192038242e3447bd14c4cf5dbf0009b43ecdcb849d50cd689b3fa7f5c2d8e6d58d08d31128747c12e5c63153c3762d81bb616157815b6c5b4084f0c609c676f9

      Download Submit
    • memory/1092-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1644-161-0x00000000008F0000-0x00000000008FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5024-175-0x0000000000980000-0x00000000009B0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/5024-176-0x000000000ACE0000-0x000000000B2F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/5024-177-0x000000000A7D0000-0x000000000A8DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/5024-178-0x000000000A700000-0x000000000A712000-memory.dmp
      Filesize

      72KB

      Download
    • memory/5024-179-0x000000000A760000-0x000000000A79C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/5024-180-0x0000000005330000-0x0000000005340000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5024-181-0x000000000AA70000-0x000000000AAE6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5024-182-0x000000000AB90000-0x000000000AC22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5024-183-0x000000000B9B0000-0x000000000BF54000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5024-184-0x000000000AC30000-0x000000000AC96000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5024-186-0x000000000B890000-0x000000000B8E0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/5024-187-0x000000000C130000-0x000000000C2F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5024-188-0x000000000C830000-0x000000000CD5C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/5024-189-0x0000000005330000-0x0000000005340000-memory.dmp
      Filesize

      64KB

      Download