Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2023 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c6ad923333a59228d71f4d9c3215a79f3b11c0428e6cc81373b9582c1f35702.exe

  • Size

    1.0MB

  • MD5

    3ad5e82f3a7dbb1b6d146a8647cc9e77

  • SHA1

    ddac6f30fb036bedb2c9c1c254b7eb9492cbbdd9

  • SHA256

    9c6ad923333a59228d71f4d9c3215a79f3b11c0428e6cc81373b9582c1f35702

  • SHA512

    e2826c61d5a2ef619b103985be03c98ec7b58025209c5375f6a49b774a972942bb3f24c24f7af5bc2c7628944145782ae09babcbe0014dba38e2e31871010112

  • SSDEEP

    24576:xy2cQxFkisUQlgyH5yCL44yyPn8Q0i+j8rRvkAwVPrw:k2JxFkN2P4/Pn8QF+j8lvkAwVP

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c6ad923333a59228d71f4d9c3215a79f3b11c0428e6cc81373b9582c1f35702.exe
    "C:\Users\Admin\AppData\Local\Temp\9c6ad923333a59228d71f4d9c3215a79f3b11c0428e6cc81373b9582c1f35702.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2110325.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2110325.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7219097.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7219097.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1277461.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1277461.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3740
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9679822.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9679822.exe
          4⤵
          • Executes dropped EXE
          PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2110325.exe
    Filesize

    885KB

    MD5

    ce5bb595c05ad2d491666d1cfd347359

    SHA1

    dc451e7fc06892758cd3ad36ae24931cc7d4c97a

    SHA256

    f97a4049a6d6fd2cfbc031f1614f0e362cc97c59cd841217cb4eba8f141435eb

    SHA512

    3d38ccdc2dc6726bfe08202360b880a49101998c6b05275df92bbb81eee9321bd0f5676b7950901ec7b18f5dc039a1c44ff036a0d40f0be0722f1f5424119cec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2110325.exe
    Filesize

    885KB

    MD5

    ce5bb595c05ad2d491666d1cfd347359

    SHA1

    dc451e7fc06892758cd3ad36ae24931cc7d4c97a

    SHA256

    f97a4049a6d6fd2cfbc031f1614f0e362cc97c59cd841217cb4eba8f141435eb

    SHA512

    3d38ccdc2dc6726bfe08202360b880a49101998c6b05275df92bbb81eee9321bd0f5676b7950901ec7b18f5dc039a1c44ff036a0d40f0be0722f1f5424119cec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7219097.exe
    Filesize

    701KB

    MD5

    89487fc38eb8aca4d0f1167dc45b0f89

    SHA1

    96f67acb6092db10695bc4fdee27f358e698df17

    SHA256

    43daeee4f6c7186e558cf7763675ed6d517b6a7808561cb0abe3e510290a7d0c

    SHA512

    68e21d784fd2879686ad2c9e3eca3aab178f90eb1f519a4a4c71fe721f92b5aeda95b38c65ecf85398eaab50d8a836fc7861ed9872155bf2ee8cced40354827f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7219097.exe
    Filesize

    701KB

    MD5

    89487fc38eb8aca4d0f1167dc45b0f89

    SHA1

    96f67acb6092db10695bc4fdee27f358e698df17

    SHA256

    43daeee4f6c7186e558cf7763675ed6d517b6a7808561cb0abe3e510290a7d0c

    SHA512

    68e21d784fd2879686ad2c9e3eca3aab178f90eb1f519a4a4c71fe721f92b5aeda95b38c65ecf85398eaab50d8a836fc7861ed9872155bf2ee8cced40354827f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1277461.exe
    Filesize

    568KB

    MD5

    4316bdf03728e9a8824795d20802a4e9

    SHA1

    243d019081fda4e30d3cbcce130240d59ad6bb79

    SHA256

    e4044b4db4835d29a0a537b0ea60e9f82a5b447520b15a1561b23a340e3df6c9

    SHA512

    3dcf5d931fc19ebe564f0888befe2d13f05c775a9b00766d64adbd0a22b528994e4feb0ef9855c2cecaf10d7874e273d3f3c6cda293925f79b378a161b4c9e56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1277461.exe
    Filesize

    568KB

    MD5

    4316bdf03728e9a8824795d20802a4e9

    SHA1

    243d019081fda4e30d3cbcce130240d59ad6bb79

    SHA256

    e4044b4db4835d29a0a537b0ea60e9f82a5b447520b15a1561b23a340e3df6c9

    SHA512

    3dcf5d931fc19ebe564f0888befe2d13f05c775a9b00766d64adbd0a22b528994e4feb0ef9855c2cecaf10d7874e273d3f3c6cda293925f79b378a161b4c9e56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9679822.exe
    Filesize

    729KB

    MD5

    dee8c80ac6f5419e9c3aecc5763ece3e

    SHA1

    146832789d1e28dc9dff6df2319ed98eb4daea16

    SHA256

    07b3ff6e9dbbb5216da47d244d26fec3529a867bd0baf78002dea37cdb8f2519

    SHA512

    6d1bc2a853a70f84995c1d36a059fcb791172762d342404dacff70cb4f91f9785e229b17c450f9691c40a60f62149ba86dacf2f7e952b7d52d35beb94fa338c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9679822.exe
    Filesize

    729KB

    MD5

    dee8c80ac6f5419e9c3aecc5763ece3e

    SHA1

    146832789d1e28dc9dff6df2319ed98eb4daea16

    SHA256

    07b3ff6e9dbbb5216da47d244d26fec3529a867bd0baf78002dea37cdb8f2519

    SHA512

    6d1bc2a853a70f84995c1d36a059fcb791172762d342404dacff70cb4f91f9785e229b17c450f9691c40a60f62149ba86dacf2f7e952b7d52d35beb94fa338c7

    Download Submit

  • memory/1660-175-0x0000000004AC0000-0x0000000004BCA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1660-173-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1660-181-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1660-180-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1660-168-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1660-167-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1660-179-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1660-178-0x0000000004C20000-0x0000000004C5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1660-174-0x00000000050C0000-0x00000000056D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1660-177-0x0000000004C00000-0x0000000004C12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1660-176-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3740-155-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3740-163-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-154-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3740-159-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3740-160-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download