Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2023, 03:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bdd10924ef4656d290b7285797ca3931aee97a88e510bdb7d163a1bf1aa83957.exe

  • Size

    722KB

  • MD5

    799c10b2f2d20f3b4d6333a77784a6ce

  • SHA1

    b36c77a1779251a5fe7b8ee229a9960bc0cc0463

  • SHA256

    bdd10924ef4656d290b7285797ca3931aee97a88e510bdb7d163a1bf1aa83957

  • SHA512

    b9bd765cf17c9310e7165ca2df8e2423c0b048c46c2bd251a050a5e79d41bc5e06d1dd2629ae663ae35297bdb2052ac758f2d27e8718d1c8ddd185af702b2829

  • SSDEEP

    12288:dMrgy90HdavB8HjuWiZjwp/yfI0AiNu3gggKaQ5Tj/MXDGb/sM+rE9unKL5RGa:dyMWB3BZjM/y7Nu3oKf0zGb/sHrE9uns

Score
10/10
redlinedasaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dasa

C2

83.97.73.126:19048

Attributes
  • auth_value

    7eca6ed540c2dcd359aed5b67c4eda07

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdd10924ef4656d290b7285797ca3931aee97a88e510bdb7d163a1bf1aa83957.exe
    "C:\Users\Admin\AppData\Local\Temp\bdd10924ef4656d290b7285797ca3931aee97a88e510bdb7d163a1bf1aa83957.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5223545.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5223545.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0400714.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0400714.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5565553.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5565553.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3792309.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3792309.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1208
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:652
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 568
              6⤵
              • Program crash
              PID:3456
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5521681.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5521681.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1989429.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1989429.exe
          4⤵
          • Executes dropped EXE
          PID:1900
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1208 -ip 1208
    1⤵
      PID:1108

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5223545.exe
            Filesize

            523KB

            MD5

            7f1d7d0ddc0c63e7a48dc0b52bf102f6

            SHA1

            9e23ecaf36d14fcdaa03d6b02d6e68bc442dc866

            SHA256

            8fd5de7520374056030ba53314cf830096b7f6c3863b376fff76b6df5459a69d

            SHA512

            d0f7559fdf701eacc40e6dcb649cd0a9ac27f718de21b9f285cfe3aed3a69378abc3061c8f183d0025ffde68559d74320a6b75c52473ab85ac1d18eba8d71398

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5223545.exe
            Filesize

            523KB

            MD5

            7f1d7d0ddc0c63e7a48dc0b52bf102f6

            SHA1

            9e23ecaf36d14fcdaa03d6b02d6e68bc442dc866

            SHA256

            8fd5de7520374056030ba53314cf830096b7f6c3863b376fff76b6df5459a69d

            SHA512

            d0f7559fdf701eacc40e6dcb649cd0a9ac27f718de21b9f285cfe3aed3a69378abc3061c8f183d0025ffde68559d74320a6b75c52473ab85ac1d18eba8d71398

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0400714.exe
            Filesize

            351KB

            MD5

            86167669156a0b1c1ef8f4463ba0b36b

            SHA1

            7e398eb28d64a4e392ecb14e8a3dbd8a2b71f65a

            SHA256

            daad04ea233d784f7930542bab6ccd9c6d11fc89263f14d1cc64e70280e16ee0

            SHA512

            7f0b922c077f67f5e2455ff032acc2340c2abd5ef4ebcd53b6ac12c5e6edaaf0e51ab64d850a1f506f06b966c81caf5365abc2d333e726d7e91c40e29702731a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0400714.exe
            Filesize

            351KB

            MD5

            86167669156a0b1c1ef8f4463ba0b36b

            SHA1

            7e398eb28d64a4e392ecb14e8a3dbd8a2b71f65a

            SHA256

            daad04ea233d784f7930542bab6ccd9c6d11fc89263f14d1cc64e70280e16ee0

            SHA512

            7f0b922c077f67f5e2455ff032acc2340c2abd5ef4ebcd53b6ac12c5e6edaaf0e51ab64d850a1f506f06b966c81caf5365abc2d333e726d7e91c40e29702731a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1989429.exe
            Filesize

            172KB

            MD5

            1f628ecffb69a8313ffd232768f77b76

            SHA1

            ba43d32192b7d118b4e7440bb1629e1c024045ca

            SHA256

            cbafb6c6afbbca84ae66e445db6b2d62d5138dbb277903455c94d15fe4b9df69

            SHA512

            11e9adef544c64fad65b2bc55829d2a62b9add30b8b738a00b9872f5a1771cc72593c2a994ce5871d8afc73b871b61b7aad9665efcfd6c3f9424ab067aba6e3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1989429.exe
            Filesize

            172KB

            MD5

            1f628ecffb69a8313ffd232768f77b76

            SHA1

            ba43d32192b7d118b4e7440bb1629e1c024045ca

            SHA256

            cbafb6c6afbbca84ae66e445db6b2d62d5138dbb277903455c94d15fe4b9df69

            SHA512

            11e9adef544c64fad65b2bc55829d2a62b9add30b8b738a00b9872f5a1771cc72593c2a994ce5871d8afc73b871b61b7aad9665efcfd6c3f9424ab067aba6e3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5565553.exe
            Filesize

            196KB

            MD5

            cccd5dffb96ce633f62f194f8a4ad3ea

            SHA1

            1857fd15b62d730ac104d2e780e196d22ae05b47

            SHA256

            025e0ca3d63a45e4abc754beaa4e516ce5c2bfc2a608ea7d1e62987a313c090b

            SHA512

            a5a788ef8cd84c3f799cba461e3dcbed59292b9994d65450ebd2ae8ce4f6e74ef83c4c516f260f717eb5cf2b7e0f8d3a12b49a8f3ba3b14840fa709c88449013

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5565553.exe
            Filesize

            196KB

            MD5

            cccd5dffb96ce633f62f194f8a4ad3ea

            SHA1

            1857fd15b62d730ac104d2e780e196d22ae05b47

            SHA256

            025e0ca3d63a45e4abc754beaa4e516ce5c2bfc2a608ea7d1e62987a313c090b

            SHA512

            a5a788ef8cd84c3f799cba461e3dcbed59292b9994d65450ebd2ae8ce4f6e74ef83c4c516f260f717eb5cf2b7e0f8d3a12b49a8f3ba3b14840fa709c88449013

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3792309.exe
            Filesize

            100KB

            MD5

            a804a98ef2d29c50c9ed9e6acb4a1db4

            SHA1

            10b73d4a234c90f4d81607cf75199cc6eac44f80

            SHA256

            e5115f48959c212bb96586c3db7a2febf4e1e08c862f9736689890206dfc5ca9

            SHA512

            cdbf0a12a14bb627983889ae513b0ec7c2efcb48fe07808533fa7d2383bb155c455070147cf2977632e452da2dfc84055fe8642ada20538af1648eefa6d86bf0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3792309.exe
            Filesize

            100KB

            MD5

            a804a98ef2d29c50c9ed9e6acb4a1db4

            SHA1

            10b73d4a234c90f4d81607cf75199cc6eac44f80

            SHA256

            e5115f48959c212bb96586c3db7a2febf4e1e08c862f9736689890206dfc5ca9

            SHA512

            cdbf0a12a14bb627983889ae513b0ec7c2efcb48fe07808533fa7d2383bb155c455070147cf2977632e452da2dfc84055fe8642ada20538af1648eefa6d86bf0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5521681.exe
            Filesize

            11KB

            MD5

            deca37f9a132e24ec089ac0ddaf6c6d5

            SHA1

            c31528bb75bcdbd0e5af6f9c38f3f6121768fe03

            SHA256

            685d946b39e750f1327d63291be9795c435ac34cc45c2b06c9304437ba9c1a19

            SHA512

            1ce6320d6a855a332bca720aa182bb82763e5ae130af9d3918c12e2162a1786edf894d5607c314823693154a7ab223f599ebde71a0b262b8cabba84c6f5b5e99

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5521681.exe
            Filesize

            11KB

            MD5

            deca37f9a132e24ec089ac0ddaf6c6d5

            SHA1

            c31528bb75bcdbd0e5af6f9c38f3f6121768fe03

            SHA256

            685d946b39e750f1327d63291be9795c435ac34cc45c2b06c9304437ba9c1a19

            SHA512

            1ce6320d6a855a332bca720aa182bb82763e5ae130af9d3918c12e2162a1786edf894d5607c314823693154a7ab223f599ebde71a0b262b8cabba84c6f5b5e99

            Download Submit

          • memory/652-162-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1412-170-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1900-176-0x0000000000B50000-0x0000000000B80000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1900-177-0x000000000B020000-0x000000000B638000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/1900-178-0x000000000AB10000-0x000000000AC1A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1900-179-0x000000000AA20000-0x000000000AA32000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1900-180-0x000000000AA80000-0x000000000AABC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1900-181-0x0000000005570000-0x0000000005580000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1900-182-0x0000000005570000-0x0000000005580000-memory.dmp

            Filesize

            64KB

            Download