Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6be535e0d34b7d84565618e9bb7e17b078d3be45cca077b89f7a739ddb7e7140.exe

  • Size

    713KB

  • MD5

    ae0585ec454433acc27e248239bc32fc

  • SHA1

    ca936f70d810ea9a5e42402aa929ec6ead9044ea

  • SHA256

    6be535e0d34b7d84565618e9bb7e17b078d3be45cca077b89f7a739ddb7e7140

  • SHA512

    2dec6739e3614aac97db36b15f1fca606012c94c6c8871fba6a8905f32947edffd7514e21b4abcc356407129107693f62c9d515286f71cce1b3ca1a0ba17fcda

  • SSDEEP

    12288:BMrZy90oWa2mFqpKNIMeeQIV7GpoY0SHxmmXz/MBzhBadkXYk/:wyC9mF8KNI9eQIpGZdHxzyauXYk/

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6be535e0d34b7d84565618e9bb7e17b078d3be45cca077b89f7a739ddb7e7140.exe
    "C:\Users\Admin\AppData\Local\Temp\6be535e0d34b7d84565618e9bb7e17b078d3be45cca077b89f7a739ddb7e7140.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9118504.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9118504.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5510010.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5510010.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7007699.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7007699.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1695565.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1695565.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2736
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6874471.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6874471.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1452
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3708
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 560
              6⤵
              • Program crash
              PID:8
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0252491.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0252491.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1452 -ip 1452
    1⤵
      PID:4484

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9118504.exe
      Filesize

      523KB

      MD5

      f481d65ec85f123d6e78728a73e8ec35

      SHA1

      4996ea2a8f4a45b7fbd70604149779d01eb82ca4

      SHA256

      1752b5b17e6ce9a202d4476646f0dd1a76bc1ad717c63a9ef1fb6a3954c99309

      SHA512

      48a256c879c3a788aa42142679c072c85c21a15d83c9133820dea2bfaa73a82054c9c50603372b1b98ea11c6c4c1bd8c9de7dc517698ee0dfe48f1e756544a71

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9118504.exe
      Filesize

      523KB

      MD5

      f481d65ec85f123d6e78728a73e8ec35

      SHA1

      4996ea2a8f4a45b7fbd70604149779d01eb82ca4

      SHA256

      1752b5b17e6ce9a202d4476646f0dd1a76bc1ad717c63a9ef1fb6a3954c99309

      SHA512

      48a256c879c3a788aa42142679c072c85c21a15d83c9133820dea2bfaa73a82054c9c50603372b1b98ea11c6c4c1bd8c9de7dc517698ee0dfe48f1e756544a71

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5510010.exe
      Filesize

      351KB

      MD5

      dceffba932dc20466349f2b3c7284982

      SHA1

      40dde08042a426cec4f8a6b9084cb2186bec8e9a

      SHA256

      205a124a536fc6e16e41ec9e7017c742ef07a5abdafa35bc002b3c835ab4848a

      SHA512

      551b0d249d399f1c2b100a9ab4159e3f0b38ff4d8381915b34b8ab9722943a018cba3c51a0201257ce5b3a884f1bf9450574b4b89a1c58d65f81c794d78ca1ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5510010.exe
      Filesize

      351KB

      MD5

      dceffba932dc20466349f2b3c7284982

      SHA1

      40dde08042a426cec4f8a6b9084cb2186bec8e9a

      SHA256

      205a124a536fc6e16e41ec9e7017c742ef07a5abdafa35bc002b3c835ab4848a

      SHA512

      551b0d249d399f1c2b100a9ab4159e3f0b38ff4d8381915b34b8ab9722943a018cba3c51a0201257ce5b3a884f1bf9450574b4b89a1c58d65f81c794d78ca1ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0252491.exe
      Filesize

      172KB

      MD5

      57a97011dbdc4e6c177168ff3fc19e35

      SHA1

      b1fcebeb04da67681235ea0fb617c5d037246986

      SHA256

      59c3623faa52742568d2c405853692a845be93b4813826f4e534ea8ee0414385

      SHA512

      157a3dcd78459700eefb32a21cfce49be3ba3a792a29e904b03ec46b5e776b094ceec647285469c5904f7d21214ad54a3c379a28fd6bd0913d32c6891c29726a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0252491.exe
      Filesize

      172KB

      MD5

      57a97011dbdc4e6c177168ff3fc19e35

      SHA1

      b1fcebeb04da67681235ea0fb617c5d037246986

      SHA256

      59c3623faa52742568d2c405853692a845be93b4813826f4e534ea8ee0414385

      SHA512

      157a3dcd78459700eefb32a21cfce49be3ba3a792a29e904b03ec46b5e776b094ceec647285469c5904f7d21214ad54a3c379a28fd6bd0913d32c6891c29726a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7007699.exe
      Filesize

      196KB

      MD5

      32b57255582b5e470f363d9d5d781fb8

      SHA1

      594efd829f643921e61e2db2ac9f8b1a96a1a9e3

      SHA256

      84a057fa412e192a4d06bebe14aa2e025abc600c7fdd0000ccb3085a76876f05

      SHA512

      71ad8c6ec602f1d09a12cdb0a14a8a2fd1033b3bfc5d5c31cb6ae6e6120b24422c3915d58c79e9c06d54e3ec1e67678af02068c14192c2b3a8ebc173f36166f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7007699.exe
      Filesize

      196KB

      MD5

      32b57255582b5e470f363d9d5d781fb8

      SHA1

      594efd829f643921e61e2db2ac9f8b1a96a1a9e3

      SHA256

      84a057fa412e192a4d06bebe14aa2e025abc600c7fdd0000ccb3085a76876f05

      SHA512

      71ad8c6ec602f1d09a12cdb0a14a8a2fd1033b3bfc5d5c31cb6ae6e6120b24422c3915d58c79e9c06d54e3ec1e67678af02068c14192c2b3a8ebc173f36166f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1695565.exe
      Filesize

      14KB

      MD5

      cf7561a184f8c2d7836583090692c767

      SHA1

      c918aaf80b21caa53c196374f80dcd5375265d8a

      SHA256

      436e5fd8bb3f6412d54f83111e1324c325e7fce42a7645a4f6f8bc794598b559

      SHA512

      0ba61c7462c48a293932902fb37286612dffefe5f59c9b915bdaaaad5ad65f6e2c18b21e03aa9b832a46059553c911e4831ea2461cd5fd020f1f319be544eba9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1695565.exe
      Filesize

      14KB

      MD5

      cf7561a184f8c2d7836583090692c767

      SHA1

      c918aaf80b21caa53c196374f80dcd5375265d8a

      SHA256

      436e5fd8bb3f6412d54f83111e1324c325e7fce42a7645a4f6f8bc794598b559

      SHA512

      0ba61c7462c48a293932902fb37286612dffefe5f59c9b915bdaaaad5ad65f6e2c18b21e03aa9b832a46059553c911e4831ea2461cd5fd020f1f319be544eba9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6874471.exe
      Filesize

      100KB

      MD5

      d37d54622528f61b663b6edb2ab4ba5b

      SHA1

      a62f0a5102dd998a91f968633278b47e3bcca922

      SHA256

      6741d8fc8d6c26278f1d10c9d35debff32ca1a10f72e24c8e62f33a0e33445d4

      SHA512

      b28096fab8f1ced73d76203588fa00944d41890e2774b39c04a8df861e48995cfe8798d208a0f3a2fabffe5efd4e1c3b6568adef5df9572214b3534cc4f9ab89

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6874471.exe
      Filesize

      100KB

      MD5

      d37d54622528f61b663b6edb2ab4ba5b

      SHA1

      a62f0a5102dd998a91f968633278b47e3bcca922

      SHA256

      6741d8fc8d6c26278f1d10c9d35debff32ca1a10f72e24c8e62f33a0e33445d4

      SHA512

      b28096fab8f1ced73d76203588fa00944d41890e2774b39c04a8df861e48995cfe8798d208a0f3a2fabffe5efd4e1c3b6568adef5df9572214b3534cc4f9ab89

      Download Submit

    • memory/1996-175-0x00000000002A0000-0x00000000002D0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1996-180-0x000000000A1C0000-0x000000000A1FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1996-189-0x000000000C370000-0x000000000C89C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1996-176-0x000000000A6F0000-0x000000000AD08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1996-177-0x000000000A220000-0x000000000A32A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1996-178-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-179-0x000000000A160000-0x000000000A172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1996-188-0x000000000BC70000-0x000000000BE32000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1996-181-0x000000000A4D0000-0x000000000A546000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1996-182-0x000000000A5F0000-0x000000000A682000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1996-183-0x000000000A550000-0x000000000A5B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1996-184-0x000000000B6C0000-0x000000000BC64000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1996-186-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-187-0x000000000B300000-0x000000000B350000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2736-161-0x0000000000B60000-0x0000000000B6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3708-167-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download