Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ec52981ea279df8f74de6852e781bfd87162704e9b85f32e181b3d739cd4a00.exe

  • Size

    723KB

  • MD5

    2ba1eaa9c928f5f6ab47a56668ba1708

  • SHA1

    afeaad60777b0b8c59a2fb2c5f7fbb400c1ab522

  • SHA256

    2ec52981ea279df8f74de6852e781bfd87162704e9b85f32e181b3d739cd4a00

  • SHA512

    358684c4fc2f5628c8e1b83afc768bc228ddcc80c214f9773c2a2b5a51f3ff9e278aee4d62a957b9e8cf3e96c31accf87bd763df24050095ecedff7bf1332fe4

  • SSDEEP

    12288:9Mrvy904BLkdPw6++hQCAdZmZ3NQkm03IAvWnv35/ski7SXnSIstTjyXV97U6s:KyPBINXhQ5Zq3Gk14JR/sUXnSIst6/7s

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ec52981ea279df8f74de6852e781bfd87162704e9b85f32e181b3d739cd4a00.exe
    "C:\Users\Admin\AppData\Local\Temp\2ec52981ea279df8f74de6852e781bfd87162704e9b85f32e181b3d739cd4a00.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6950759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6950759.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9171114.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9171114.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0682209.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0682209.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7599656.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7599656.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8222994.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8222994.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4264
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 152
              6⤵
              • Program crash
              PID:3876
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1517470.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1517470.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4408
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1568 -ip 1568
    1⤵
      PID:2392

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6950759.exe
      Filesize

      523KB

      MD5

      c0e98184a8d3e1062d3e73d4ba815b10

      SHA1

      832a536aa3244d2b24ae5b33f48b47fff81a2773

      SHA256

      a84a3cb00a7993f5c27024041a803651a0fa328ae7466d281cb44a667187c32b

      SHA512

      3c1a7048ff12915f9ca49e5f7d49c4ba6e99392b69533a382c416657496068372ad27238def2a3501064f460534ea50b0dc8704687b227680646c63551a45dd4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6950759.exe
      Filesize

      523KB

      MD5

      c0e98184a8d3e1062d3e73d4ba815b10

      SHA1

      832a536aa3244d2b24ae5b33f48b47fff81a2773

      SHA256

      a84a3cb00a7993f5c27024041a803651a0fa328ae7466d281cb44a667187c32b

      SHA512

      3c1a7048ff12915f9ca49e5f7d49c4ba6e99392b69533a382c416657496068372ad27238def2a3501064f460534ea50b0dc8704687b227680646c63551a45dd4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9171114.exe
      Filesize

      351KB

      MD5

      bc197adb664b2ebd6854c6b4e2bbd626

      SHA1

      a9e9dd362ee5701b99b29b554193aaf4cc4667db

      SHA256

      6014d5c4cb95a71cf485e2c9ec29a5c87e717b22ff4190e2a68a66da0589e002

      SHA512

      841be71e8e70c8fb38c4a026e8ec947a16c0cf5f647babbad3a072bb411e9b1b5ee7b9ac816ad7008945c18e5db15709e26c51fd78ce7b3f13bd3f31d3fa985c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9171114.exe
      Filesize

      351KB

      MD5

      bc197adb664b2ebd6854c6b4e2bbd626

      SHA1

      a9e9dd362ee5701b99b29b554193aaf4cc4667db

      SHA256

      6014d5c4cb95a71cf485e2c9ec29a5c87e717b22ff4190e2a68a66da0589e002

      SHA512

      841be71e8e70c8fb38c4a026e8ec947a16c0cf5f647babbad3a072bb411e9b1b5ee7b9ac816ad7008945c18e5db15709e26c51fd78ce7b3f13bd3f31d3fa985c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1517470.exe
      Filesize

      172KB

      MD5

      eea26240d0a13f46d66314f73b6b0abc

      SHA1

      7d3081ecb4e5e7da8176042a774d32e628965da7

      SHA256

      2ef531066e1c626a02ab9f559c658ecb13195e4f625d37ea19a13c3ab503e593

      SHA512

      b7633e136f07cd3e6c768ec7f01edc876078818f5e46fc7e7ca09f0c7a39f0e142abe2a85e68c9f5ac7d177cc195065a20ffc16d5c0c8694dbef5232bea7892d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1517470.exe
      Filesize

      172KB

      MD5

      eea26240d0a13f46d66314f73b6b0abc

      SHA1

      7d3081ecb4e5e7da8176042a774d32e628965da7

      SHA256

      2ef531066e1c626a02ab9f559c658ecb13195e4f625d37ea19a13c3ab503e593

      SHA512

      b7633e136f07cd3e6c768ec7f01edc876078818f5e46fc7e7ca09f0c7a39f0e142abe2a85e68c9f5ac7d177cc195065a20ffc16d5c0c8694dbef5232bea7892d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0682209.exe
      Filesize

      196KB

      MD5

      30771aa8fa6279f30e63689691c62662

      SHA1

      974a8df756d2067c3e60957d9c6fa7d19229846d

      SHA256

      b4d39cda25d2d5311801e59fea9f672eeef7b648ad106851120ade377604fdf9

      SHA512

      935f305f23314bbb44a1077d17734e707ad284eb1c31a9f297f0a8f88eb9d37ba3ec0d51072726f829bcf6fb62a6ed546eb1680b1813e802f653441ea42ba13c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0682209.exe
      Filesize

      196KB

      MD5

      30771aa8fa6279f30e63689691c62662

      SHA1

      974a8df756d2067c3e60957d9c6fa7d19229846d

      SHA256

      b4d39cda25d2d5311801e59fea9f672eeef7b648ad106851120ade377604fdf9

      SHA512

      935f305f23314bbb44a1077d17734e707ad284eb1c31a9f297f0a8f88eb9d37ba3ec0d51072726f829bcf6fb62a6ed546eb1680b1813e802f653441ea42ba13c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7599656.exe
      Filesize

      14KB

      MD5

      c1ec937db99e7a2a944e30243c834de3

      SHA1

      ac5012c8d21c5dd2a9f5da1e119ccbe9cba2720e

      SHA256

      f650df17af7301e103f64a2ab7503fa014065e1ba01ff43adf849428a3ab02f1

      SHA512

      b1923072e808ffdef0195e835fa80865f2f510ce9ea3f8ef1a39fe1a3c868307fec35592abb444c7fda990d0c9961fa9a60154373db0a6a571999ab73061a278

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7599656.exe
      Filesize

      14KB

      MD5

      c1ec937db99e7a2a944e30243c834de3

      SHA1

      ac5012c8d21c5dd2a9f5da1e119ccbe9cba2720e

      SHA256

      f650df17af7301e103f64a2ab7503fa014065e1ba01ff43adf849428a3ab02f1

      SHA512

      b1923072e808ffdef0195e835fa80865f2f510ce9ea3f8ef1a39fe1a3c868307fec35592abb444c7fda990d0c9961fa9a60154373db0a6a571999ab73061a278

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8222994.exe
      Filesize

      100KB

      MD5

      25ff6c3591dd552896002b4530d4eaa2

      SHA1

      9e9141db277d5a3780a7c73908d3a1e81aa1cf02

      SHA256

      b406f8999a055e8154583f71dabafd09b3811e5f50ba93427aa1c59c63d26826

      SHA512

      8c1125638ebbb4155261af1e368886ea4cbb4a65d6c291fefc5f84fff3c670e9c6684583c426b9d15b0dbc9403667800ec8c328dde574e31412433aca251bc75

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8222994.exe
      Filesize

      100KB

      MD5

      25ff6c3591dd552896002b4530d4eaa2

      SHA1

      9e9141db277d5a3780a7c73908d3a1e81aa1cf02

      SHA256

      b406f8999a055e8154583f71dabafd09b3811e5f50ba93427aa1c59c63d26826

      SHA512

      8c1125638ebbb4155261af1e368886ea4cbb4a65d6c291fefc5f84fff3c670e9c6684583c426b9d15b0dbc9403667800ec8c328dde574e31412433aca251bc75

      Download Submit
    • memory/2472-161-0x0000000000870000-0x000000000087A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4264-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4408-175-0x0000000000A20000-0x0000000000A50000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4408-176-0x000000000AE90000-0x000000000B4A8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4408-177-0x000000000A9A0000-0x000000000AAAA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4408-178-0x000000000A8E0000-0x000000000A8F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4408-179-0x000000000A940000-0x000000000A97C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4408-180-0x00000000053E0000-0x00000000053F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4408-181-0x000000000AC50000-0x000000000ACC6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4408-182-0x000000000AD70000-0x000000000AE02000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4408-183-0x000000000BA60000-0x000000000C004000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4408-184-0x000000000AE10000-0x000000000AE76000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4408-186-0x000000000B970000-0x000000000B9C0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4408-187-0x00000000053E0000-0x00000000053F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4408-188-0x000000000C2E0000-0x000000000C4A2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4408-189-0x000000000C9E0000-0x000000000CF0C000-memory.dmp
      Filesize

      5.2MB

      Download