Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2023 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    904a5595da5fe765cfa2fafc92cbdee3459c5ed938501287242619569f3d8719.exe

  • Size

    773KB

  • MD5

    74875a30537f6a93e0f950308f0d7694

  • SHA1

    dc71fc9ee08cefa28237fcb53fa4e4c788312055

  • SHA256

    904a5595da5fe765cfa2fafc92cbdee3459c5ed938501287242619569f3d8719

  • SHA512

    cd48bbc9cf3ca1aa02ffc92ded99ef5d606745b18fbcefb87b12d822af64a096802bf9987de37dacc399904cbead29f1ef3a6634adbd7ed69a893d4ada05162d

  • SSDEEP

    24576:2yE6S+nbQnGwyr3XdHaAKT5sJ/elJ1PVe2:FE+bKGwyRGkKJh

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.129:19068

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\904a5595da5fe765cfa2fafc92cbdee3459c5ed938501287242619569f3d8719.exe
    "C:\Users\Admin\AppData\Local\Temp\904a5595da5fe765cfa2fafc92cbdee3459c5ed938501287242619569f3d8719.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1188357.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1188357.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2860241.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2860241.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9199905.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9199905.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4008
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9927374.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9927374.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4300
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5643169.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5643169.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4348
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3248
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 152
              6⤵
              • Program crash
              PID:1348
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7635963.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7635963.exe
          4⤵
          • Executes dropped EXE
          PID:2808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4348 -ip 4348
    1⤵
      PID:3988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1188357.exe
      Filesize

      549KB

      MD5

      fbe732d93f0f5656593e303a388d5a55

      SHA1

      c0a60a094db300e574181b7ba64e3a15be7d1456

      SHA256

      a72da29eb7ac2ea79b621c5815d815f9c0bbf18d4ed114bb869e87ca8f1a829e

      SHA512

      755e75b9ca926bbba11ed3e005f8d6e9b14736d0b3cc44505c9d9ed775ad22736b9fca4229e99dfa90c30ed629857e7a4b3df8e38407f9afc49fa7c48f06159c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1188357.exe
      Filesize

      549KB

      MD5

      fbe732d93f0f5656593e303a388d5a55

      SHA1

      c0a60a094db300e574181b7ba64e3a15be7d1456

      SHA256

      a72da29eb7ac2ea79b621c5815d815f9c0bbf18d4ed114bb869e87ca8f1a829e

      SHA512

      755e75b9ca926bbba11ed3e005f8d6e9b14736d0b3cc44505c9d9ed775ad22736b9fca4229e99dfa90c30ed629857e7a4b3df8e38407f9afc49fa7c48f06159c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2860241.exe
      Filesize

      376KB

      MD5

      a0cdf9ad9926ff7ea4f772f104e8f21d

      SHA1

      2fe514ead438b5ed45dd9960836d9a2daa4ef08e

      SHA256

      4d73f7819a0856d3671a9e178b6c97612986cb2d3c05b99482c8a6350b294f0c

      SHA512

      df3712edc6e09b8f4f6be37e5eba2f5c9614aadd7560b5cfb42ae998246ecc6ff3bb9ff4e7d5b12b2afb8d9579073a4939c497a319726450daba9f2da569fa43

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2860241.exe
      Filesize

      376KB

      MD5

      a0cdf9ad9926ff7ea4f772f104e8f21d

      SHA1

      2fe514ead438b5ed45dd9960836d9a2daa4ef08e

      SHA256

      4d73f7819a0856d3671a9e178b6c97612986cb2d3c05b99482c8a6350b294f0c

      SHA512

      df3712edc6e09b8f4f6be37e5eba2f5c9614aadd7560b5cfb42ae998246ecc6ff3bb9ff4e7d5b12b2afb8d9579073a4939c497a319726450daba9f2da569fa43

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7635963.exe
      Filesize

      172KB

      MD5

      d932ce6cfd20b8d948b377bf8b2f0b70

      SHA1

      95a2bb037cfb63f45c84bdca5dd517a54023a21c

      SHA256

      7e81a222f64680d20c4577735bc51f086e3d6fa602f6eb04957810ae5b34e268

      SHA512

      d2dc630a8169c7e0536c45a302298cb161289fcd2290af68f090938412dd14f4e93f1e215e8caa3c184f2e9e922b55d639d04f884d9771bdbbc9d19ace72f882

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7635963.exe
      Filesize

      172KB

      MD5

      d932ce6cfd20b8d948b377bf8b2f0b70

      SHA1

      95a2bb037cfb63f45c84bdca5dd517a54023a21c

      SHA256

      7e81a222f64680d20c4577735bc51f086e3d6fa602f6eb04957810ae5b34e268

      SHA512

      d2dc630a8169c7e0536c45a302298cb161289fcd2290af68f090938412dd14f4e93f1e215e8caa3c184f2e9e922b55d639d04f884d9771bdbbc9d19ace72f882

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9199905.exe
      Filesize

      221KB

      MD5

      ab2ed13169b510bd0b739cceaab6da08

      SHA1

      bbe59162618e39b2e8b79414e07c408d6f20e6b7

      SHA256

      c46cf05975535c93cf5dbc9e8fb7d65cab27e3c622bae962570e3f087975ea12

      SHA512

      76271bd5b38105d584cf8b2d42e52ccac6540584cfa296bc2898a243d5febd92675c50ce4695345676bf02f9bc430e1ea98b362516b90a3383c642ab66f893fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9199905.exe
      Filesize

      221KB

      MD5

      ab2ed13169b510bd0b739cceaab6da08

      SHA1

      bbe59162618e39b2e8b79414e07c408d6f20e6b7

      SHA256

      c46cf05975535c93cf5dbc9e8fb7d65cab27e3c622bae962570e3f087975ea12

      SHA512

      76271bd5b38105d584cf8b2d42e52ccac6540584cfa296bc2898a243d5febd92675c50ce4695345676bf02f9bc430e1ea98b362516b90a3383c642ab66f893fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9927374.exe
      Filesize

      14KB

      MD5

      57ac6fec4f2ea8f48781b8546180c0c4

      SHA1

      4865feaa5eac7b178a74b6870c66cf13092971e9

      SHA256

      9d2365dfa2fff7e5f559cd3f91be02f4692d8a8083716a0bd0dcc9318717ef37

      SHA512

      579cfd3dc0ee237e18c8e178b1af91df2fff5cbe41234ed96166e6d056d06c193b898c3a8a624a9fa3b81df6142033f1d8dbe9235f61fe467c6ad8f386e60dba

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9927374.exe
      Filesize

      14KB

      MD5

      57ac6fec4f2ea8f48781b8546180c0c4

      SHA1

      4865feaa5eac7b178a74b6870c66cf13092971e9

      SHA256

      9d2365dfa2fff7e5f559cd3f91be02f4692d8a8083716a0bd0dcc9318717ef37

      SHA512

      579cfd3dc0ee237e18c8e178b1af91df2fff5cbe41234ed96166e6d056d06c193b898c3a8a624a9fa3b81df6142033f1d8dbe9235f61fe467c6ad8f386e60dba

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5643169.exe
      Filesize

      148KB

      MD5

      fcf23dc3c5fd2fe1d608dfd1c26c8265

      SHA1

      d9d5ca89597415be80d8ebef9172a2dfd205ca13

      SHA256

      251d9b8b461f8dbfc2fbdf30b7bcb55d74f3887b28746842558a7b041b3b91f7

      SHA512

      d557300d32cbe85e54ea82cdeb84047722414aa2caf6ab53ca400c240d22463b9b0613fa98df1b9e961860ae68e12b936f991188dcd4c0cfc00d7e7a0f52b457

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5643169.exe
      Filesize

      148KB

      MD5

      fcf23dc3c5fd2fe1d608dfd1c26c8265

      SHA1

      d9d5ca89597415be80d8ebef9172a2dfd205ca13

      SHA256

      251d9b8b461f8dbfc2fbdf30b7bcb55d74f3887b28746842558a7b041b3b91f7

      SHA512

      d557300d32cbe85e54ea82cdeb84047722414aa2caf6ab53ca400c240d22463b9b0613fa98df1b9e961860ae68e12b936f991188dcd4c0cfc00d7e7a0f52b457

      Download Submit
    • memory/2808-174-0x0000000000420000-0x0000000000450000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2808-175-0x000000000A860000-0x000000000AE78000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2808-176-0x000000000A3A0000-0x000000000A4AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2808-177-0x000000000A2E0000-0x000000000A2F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2808-178-0x000000000A340000-0x000000000A37C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2808-179-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2808-181-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3248-166-0x0000000000360000-0x000000000036A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4300-161-0x0000000000710000-0x000000000071A000-memory.dmp
      Filesize

      40KB

      Download