Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f9a8f03e100f12030d73b34f62944c8b851eb04c06a0f9da98afd7245020e1c.exe

  • Size

    723KB

  • MD5

    e01d061e764b307a186b15bb8742f2ba

  • SHA1

    609e349a94960cf57e396f53de2c0a3485051f5e

  • SHA256

    9f9a8f03e100f12030d73b34f62944c8b851eb04c06a0f9da98afd7245020e1c

  • SHA512

    c8c0120ab4880541c49a14234ae3ec1e572d01b778c4ab6c6feba95d58254b0c8587c985d82ff628fe54f438379bc2accada65d270869170087f49c263d851c6

  • SSDEEP

    12288:jMr5y90jseUfar5kQFlQW5mXI2m14FFozVtuFBLSIJyOywRbfI8TM+qR:6yknrrRmXI2c4FF2CB27OJRbfI8TMh

Score
10/10
redlinedizaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f9a8f03e100f12030d73b34f62944c8b851eb04c06a0f9da98afd7245020e1c.exe
    "C:\Users\Admin\AppData\Local\Temp\9f9a8f03e100f12030d73b34f62944c8b851eb04c06a0f9da98afd7245020e1c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6250742.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6250742.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6355252.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6355252.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2034899.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2034899.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3766281.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3766281.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3592
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4464
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 136
              6⤵
              • Program crash
              PID:4676
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k7961037.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k7961037.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:216
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4349255.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4349255.exe
          4⤵
          • Executes dropped EXE
          PID:4496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3592 -ip 3592
    1⤵
      PID:1488

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6250742.exe
      Filesize

      524KB

      MD5

      cf8ea11ef34e04c984f1134456cfe1ec

      SHA1

      58299c40306e7432c2183730ffa2057aa2940e4f

      SHA256

      136eaefe22f1fd2d5fc059c90b7ba0cd624e23ce7d620ba70931b723a408df40

      SHA512

      bb594896284e698ced321006bf8cf85014b78af0fdf3c1135aca06bb5493045c478ef3f8193cb6924d66bca359a6bfb73e622db82e07a6981df6ed1962436730

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6250742.exe
      Filesize

      524KB

      MD5

      cf8ea11ef34e04c984f1134456cfe1ec

      SHA1

      58299c40306e7432c2183730ffa2057aa2940e4f

      SHA256

      136eaefe22f1fd2d5fc059c90b7ba0cd624e23ce7d620ba70931b723a408df40

      SHA512

      bb594896284e698ced321006bf8cf85014b78af0fdf3c1135aca06bb5493045c478ef3f8193cb6924d66bca359a6bfb73e622db82e07a6981df6ed1962436730

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6355252.exe
      Filesize

      352KB

      MD5

      4962b93ba2a6b0a2d8d1c5b2d362e0a9

      SHA1

      02d03b2463dc71e8fec126b0ca6b2ed9b22e7f37

      SHA256

      11d230335e0ce121441edb13e823602af75e69dbde3d3c0b0c320bcc2d8c8d49

      SHA512

      d168e737fe7f68920ca5ebbc96c2bd671da9411e0818de83a288c88144d0f3b36a79ff0a4b99319f0325128f2e546a8aa97757974d92db47b7156d28d198b8fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6355252.exe
      Filesize

      352KB

      MD5

      4962b93ba2a6b0a2d8d1c5b2d362e0a9

      SHA1

      02d03b2463dc71e8fec126b0ca6b2ed9b22e7f37

      SHA256

      11d230335e0ce121441edb13e823602af75e69dbde3d3c0b0c320bcc2d8c8d49

      SHA512

      d168e737fe7f68920ca5ebbc96c2bd671da9411e0818de83a288c88144d0f3b36a79ff0a4b99319f0325128f2e546a8aa97757974d92db47b7156d28d198b8fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4349255.exe
      Filesize

      172KB

      MD5

      aa7d7c70f1f5e0905c309ebc1b6ccb7c

      SHA1

      02811f162ece6260138eaa27e44bd88c482ca870

      SHA256

      52e4f967117a629fcff91b2f35949dc70c2bd904c0b0223c1bc95fb283f9ae12

      SHA512

      e7e284afd49309dcd5a61a4066aed68594c11cd10242d5c23740fb8542ebec634705fbcd6a9b4acf38d5d059954fc657ee869431eff4f95249c1111fa4a1412b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4349255.exe
      Filesize

      172KB

      MD5

      aa7d7c70f1f5e0905c309ebc1b6ccb7c

      SHA1

      02811f162ece6260138eaa27e44bd88c482ca870

      SHA256

      52e4f967117a629fcff91b2f35949dc70c2bd904c0b0223c1bc95fb283f9ae12

      SHA512

      e7e284afd49309dcd5a61a4066aed68594c11cd10242d5c23740fb8542ebec634705fbcd6a9b4acf38d5d059954fc657ee869431eff4f95249c1111fa4a1412b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2034899.exe
      Filesize

      197KB

      MD5

      d72dab9f677625eea911cee31687d14e

      SHA1

      2c60339aa12acad47cd886085d1caf2e61bb8df7

      SHA256

      0bde3dd339a9d36e87bb07ebed436d77908803bf60f72979e0faeff66edd04aa

      SHA512

      fb0d5bbad4b7acec064e12c5b43ef89338eae2ee54aa0e4ffc3c9233e0d94fdff447426ae4cd8fe86c03fcd263813f8b6b979a1cbcbca55359abc9de844887a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2034899.exe
      Filesize

      197KB

      MD5

      d72dab9f677625eea911cee31687d14e

      SHA1

      2c60339aa12acad47cd886085d1caf2e61bb8df7

      SHA256

      0bde3dd339a9d36e87bb07ebed436d77908803bf60f72979e0faeff66edd04aa

      SHA512

      fb0d5bbad4b7acec064e12c5b43ef89338eae2ee54aa0e4ffc3c9233e0d94fdff447426ae4cd8fe86c03fcd263813f8b6b979a1cbcbca55359abc9de844887a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3766281.exe
      Filesize

      100KB

      MD5

      84b05ade2d01f249b7014de75d6a74ac

      SHA1

      84d8d4b382b39e9183da17e2154d1b17ea763795

      SHA256

      f763bc0b464c28d2f4115b0865f2793bb91dc042e6f27074b68e3fb92b21c079

      SHA512

      b5755dd1ab2177f61db6c900be318286f932c5e19c298c5a10eb3c204e3705e222cde1b8634ccc1e6bec79a8926290e4b67497afaf8f685c22816b12f5c67897

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j3766281.exe
      Filesize

      100KB

      MD5

      84b05ade2d01f249b7014de75d6a74ac

      SHA1

      84d8d4b382b39e9183da17e2154d1b17ea763795

      SHA256

      f763bc0b464c28d2f4115b0865f2793bb91dc042e6f27074b68e3fb92b21c079

      SHA512

      b5755dd1ab2177f61db6c900be318286f932c5e19c298c5a10eb3c204e3705e222cde1b8634ccc1e6bec79a8926290e4b67497afaf8f685c22816b12f5c67897

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k7961037.exe
      Filesize

      11KB

      MD5

      d0c6e9f85c4b7bf0319c0601999b41f7

      SHA1

      cb002d18a27e52cad8a227c5d9b330df8fbfb359

      SHA256

      9b54b66523adbb1590dd20f1ff406c83ca68c03af8300da2777f032f9e97f998

      SHA512

      b8719f06f9b468a4952c92cfe979e76abf394fbbd813f47ae50c945ae93d4b0d297116ac7daf3d26af1cd544f0eb689c09c043370f5c6615cfae68ae7270a418

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k7961037.exe
      Filesize

      11KB

      MD5

      d0c6e9f85c4b7bf0319c0601999b41f7

      SHA1

      cb002d18a27e52cad8a227c5d9b330df8fbfb359

      SHA256

      9b54b66523adbb1590dd20f1ff406c83ca68c03af8300da2777f032f9e97f998

      SHA512

      b8719f06f9b468a4952c92cfe979e76abf394fbbd813f47ae50c945ae93d4b0d297116ac7daf3d26af1cd544f0eb689c09c043370f5c6615cfae68ae7270a418

      Download Submit

    • memory/216-170-0x0000000000050000-0x000000000005A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4464-162-0x00000000005C0000-0x00000000005CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4496-176-0x0000000000DD0000-0x0000000000E00000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-177-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4496-178-0x000000000AC10000-0x000000000AD1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4496-179-0x000000000AB50000-0x000000000AB62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4496-180-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4496-181-0x00000000055D0000-0x00000000055E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-182-0x00000000055D0000-0x00000000055E0000-memory.dmp

      Filesize

      64KB

      Download