Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe

  • Size

    724KB

  • MD5

    9d3b877dc78b1e4a6a9607cb26feebb3

  • SHA1

    4c1662a5d1af7793fc383eb4880b7e7a7a1cd690

  • SHA256

    8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7

  • SHA512

    65258a4fc7b7a75688241b5b2ac7a369225ab052d8c53a65abb1ce9411f6e6a4cdd1f32ddeadc85ca47228596439b85611a7abfcfc109690a3e82380fba9cd3e

  • SSDEEP

    12288:xMr+y90Vq6HgwwUDO7KAAj+OAEobhACbn4Ze9JCsimEznsf:DyWqugw/RAAfkyGnAsREznE

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4648
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3244
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1600
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3484
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 140
              6⤵
              • Program crash
              PID:4352
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1320
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1600 -ip 1600
    1⤵
      PID:4384

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exe
      Filesize

      523KB

      MD5

      1e170d3bc2a0a02972a25eeab5248d14

      SHA1

      db8481b20acf0e87350456ef6ca97fcc1bab6d65

      SHA256

      005fb98de26f32a9f288ba6d8fe60c72022b395855556babd79b12a9f0f3256e

      SHA512

      718da67c56321912ea96d59172f2a9bb9e4b439ba8b7692dd354f06beaa4ebb6291f0eb8e65b7ba72c26dd9e3dd3a524ee0c25469ba5141b48ff2941d7860c32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exe
      Filesize

      523KB

      MD5

      1e170d3bc2a0a02972a25eeab5248d14

      SHA1

      db8481b20acf0e87350456ef6ca97fcc1bab6d65

      SHA256

      005fb98de26f32a9f288ba6d8fe60c72022b395855556babd79b12a9f0f3256e

      SHA512

      718da67c56321912ea96d59172f2a9bb9e4b439ba8b7692dd354f06beaa4ebb6291f0eb8e65b7ba72c26dd9e3dd3a524ee0c25469ba5141b48ff2941d7860c32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exe
      Filesize

      351KB

      MD5

      aceb134aab78e5979fc85c3e188019a3

      SHA1

      b8f54c2f3adde1faf7575f869be688f46bce4f17

      SHA256

      1d790ee043d64b632f5c1a46163f6a533a57685bddc0a25ca5720c1c543dbd44

      SHA512

      5dec8920a87034e5d996077d3fb5e79d1d69e8ebff89c56d33892c8cb5b36a34a591164f67f667340ba7964f9cc87cf69230d4aabd96ea84ab8b92b34fbf29e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exe
      Filesize

      351KB

      MD5

      aceb134aab78e5979fc85c3e188019a3

      SHA1

      b8f54c2f3adde1faf7575f869be688f46bce4f17

      SHA256

      1d790ee043d64b632f5c1a46163f6a533a57685bddc0a25ca5720c1c543dbd44

      SHA512

      5dec8920a87034e5d996077d3fb5e79d1d69e8ebff89c56d33892c8cb5b36a34a591164f67f667340ba7964f9cc87cf69230d4aabd96ea84ab8b92b34fbf29e7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exe
      Filesize

      172KB

      MD5

      2347cfd8f815fa52d48acd8394468e73

      SHA1

      5fe05b16536ab71ce7d8720a64c49324f5e068dd

      SHA256

      8905355047b919a09fbf9b1e21d9c2c72cfdcfa44887b006cd7ad64acb05eff4

      SHA512

      2dce8952f8fd50e321c58859d7ae9365bd924112b618ad11f975e9f8cc1e38d95e9314731af6b158eee1726ef40d6dc7326647d0514501ea2014efdee31e6424

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exe
      Filesize

      172KB

      MD5

      2347cfd8f815fa52d48acd8394468e73

      SHA1

      5fe05b16536ab71ce7d8720a64c49324f5e068dd

      SHA256

      8905355047b919a09fbf9b1e21d9c2c72cfdcfa44887b006cd7ad64acb05eff4

      SHA512

      2dce8952f8fd50e321c58859d7ae9365bd924112b618ad11f975e9f8cc1e38d95e9314731af6b158eee1726ef40d6dc7326647d0514501ea2014efdee31e6424

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exe
      Filesize

      196KB

      MD5

      f2da1d8a39219638e11e1c4bcb410bd0

      SHA1

      7f5accb287483f79a648e556e4b93d8b8482069b

      SHA256

      2ab0eae199040fc243632b55e58b62baed27510f22311833cdca3a14929873fc

      SHA512

      69cf0bb04d361c5e576fcf989efa3d49fafd6e266b32ea247045167e19aee811d939f226d9bcec56edb098b1775b37319f762df9b329fe810374fb9a1e909f62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exe
      Filesize

      196KB

      MD5

      f2da1d8a39219638e11e1c4bcb410bd0

      SHA1

      7f5accb287483f79a648e556e4b93d8b8482069b

      SHA256

      2ab0eae199040fc243632b55e58b62baed27510f22311833cdca3a14929873fc

      SHA512

      69cf0bb04d361c5e576fcf989efa3d49fafd6e266b32ea247045167e19aee811d939f226d9bcec56edb098b1775b37319f762df9b329fe810374fb9a1e909f62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exe
      Filesize

      14KB

      MD5

      3bccd804c1bd6f719ca5e8a46222d054

      SHA1

      dcc669aa8a072aef141ee3330557adae5c77df62

      SHA256

      3d7077875bcaf79becf7780c2372da7e788c858b0788758047a1db6927ba465d

      SHA512

      d7d9b28e976985226654a781eb83c9bcc97f66d8a61700e6e8e07aee00fbf66c405ecc19eb6ced396410c77b0936eb3a10d5ce762205503088f97f2e4c4e301c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exe
      Filesize

      14KB

      MD5

      3bccd804c1bd6f719ca5e8a46222d054

      SHA1

      dcc669aa8a072aef141ee3330557adae5c77df62

      SHA256

      3d7077875bcaf79becf7780c2372da7e788c858b0788758047a1db6927ba465d

      SHA512

      d7d9b28e976985226654a781eb83c9bcc97f66d8a61700e6e8e07aee00fbf66c405ecc19eb6ced396410c77b0936eb3a10d5ce762205503088f97f2e4c4e301c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exe
      Filesize

      101KB

      MD5

      cbc1553499df7e1e9042668c327b0a3b

      SHA1

      8272cf599cc1b309540bf75446dc6d8287a15686

      SHA256

      9dc44e720b95ecb86e2d65140bf71955a6681dba0bbfc5d83bbceaeed810ca67

      SHA512

      43efc5becd8b7cf5fe88152d5fd4807f1c481dbf4aa83fcdeda814888586ec78e997e2af47ab39c550c251964ed0087cec8373189ff038c1e682c5df493c72b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exe
      Filesize

      101KB

      MD5

      cbc1553499df7e1e9042668c327b0a3b

      SHA1

      8272cf599cc1b309540bf75446dc6d8287a15686

      SHA256

      9dc44e720b95ecb86e2d65140bf71955a6681dba0bbfc5d83bbceaeed810ca67

      SHA512

      43efc5becd8b7cf5fe88152d5fd4807f1c481dbf4aa83fcdeda814888586ec78e997e2af47ab39c550c251964ed0087cec8373189ff038c1e682c5df493c72b6

      Download Submit
    • memory/1320-175-0x00000000007B0000-0x00000000007E0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1320-180-0x0000000005060000-0x0000000005070000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1320-189-0x0000000008A20000-0x0000000008F4C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1320-176-0x0000000005790000-0x0000000005DA8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1320-177-0x0000000005280000-0x000000000538A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1320-178-0x0000000005000000-0x0000000005012000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1320-179-0x0000000005170000-0x00000000051AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1320-188-0x0000000006650000-0x0000000006812000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1320-181-0x0000000005480000-0x00000000054F6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1320-182-0x00000000055A0000-0x0000000005632000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1320-183-0x0000000005500000-0x0000000005566000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1320-184-0x0000000006850000-0x0000000006DF4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1320-186-0x0000000006430000-0x0000000006480000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1320-187-0x0000000005060000-0x0000000005070000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3244-161-0x0000000000D60000-0x0000000000D6A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3484-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download