Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e14c12b9703e541dc292a3c5be71f9704c5b370345da099ad757664b578fd579.exe

  • Size

    921KB

  • MD5

    3b1a049b7dcca6ebc454f5a9c21b4d29

  • SHA1

    8247855a9863c5bf3ca9d929d7100c87056556ad

  • SHA256

    e14c12b9703e541dc292a3c5be71f9704c5b370345da099ad757664b578fd579

  • SHA512

    42b1c74482cfdfcc03b0ddf48c1fa350aba081b1390b52b37ca3561af26173f506d00d3be00d08db858e766dfc540222f9e03a6100d4a36b9866653207b81c0a

  • SSDEEP

    24576:yy7FSbkfuNKjp64+9X2XYDmtpE5RC0Yrr:ZgbkfuNa1+hg2mt+Yr

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e14c12b9703e541dc292a3c5be71f9704c5b370345da099ad757664b578fd579.exe
    "C:\Users\Admin\AppData\Local\Temp\e14c12b9703e541dc292a3c5be71f9704c5b370345da099ad757664b578fd579.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4814616.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4814616.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5413763.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5413763.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2970748.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2970748.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2556
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1522977.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1522977.exe
          4⤵
          • Executes dropped EXE
          PID:4240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4814616.exe
    Filesize

    766KB

    MD5

    40f5b2ab6c15eb967de48a3330713605

    SHA1

    6f2b9a0162565ba0700c445a944659834db2f57f

    SHA256

    3c2a30a4fc7a64688115263868b4bcd28be83d7054d81b8b892ead4679e99408

    SHA512

    89ed65a7a31318b671c4e6d632469e27564cb59da666931435cde524e704796502fba63f79bd424a706367b3a15c0a75201858819a3202923658070f654bc5f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4814616.exe
    Filesize

    766KB

    MD5

    40f5b2ab6c15eb967de48a3330713605

    SHA1

    6f2b9a0162565ba0700c445a944659834db2f57f

    SHA256

    3c2a30a4fc7a64688115263868b4bcd28be83d7054d81b8b892ead4679e99408

    SHA512

    89ed65a7a31318b671c4e6d632469e27564cb59da666931435cde524e704796502fba63f79bd424a706367b3a15c0a75201858819a3202923658070f654bc5f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5413763.exe
    Filesize

    582KB

    MD5

    8447ce52b2740f07908190f9e1493050

    SHA1

    e6c214f789dedd33ec8c5713068ef8a119f0b7e0

    SHA256

    cffcccce78f94c11f3213d1b77ccb38fe5036f8a013df454c28d0d8b03a4f2ab

    SHA512

    d2b13649fd1193fdd56bb57410ad7caa083c35789ed0c4a648e291d35192cc2ec7d39d7f5ce119092bb9c1014eea0efa1c0e97ed39c9cdaf755b78d3ae11b75b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5413763.exe
    Filesize

    582KB

    MD5

    8447ce52b2740f07908190f9e1493050

    SHA1

    e6c214f789dedd33ec8c5713068ef8a119f0b7e0

    SHA256

    cffcccce78f94c11f3213d1b77ccb38fe5036f8a013df454c28d0d8b03a4f2ab

    SHA512

    d2b13649fd1193fdd56bb57410ad7caa083c35789ed0c4a648e291d35192cc2ec7d39d7f5ce119092bb9c1014eea0efa1c0e97ed39c9cdaf755b78d3ae11b75b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2970748.exe
    Filesize

    294KB

    MD5

    1d88903282fc5d1c92ca4b6cc50dd4a3

    SHA1

    905ee46b6509e45c8db4750afaf647327ad54025

    SHA256

    908042a145926c0f95df5d32e4f4c501a917714b49a3fee7e488bdb43386c2ed

    SHA512

    cdf0e63e1f73fb397bac5328c1bf7abab2247e5b1fb95a5dcf5561b6e4d636c5f8f2bc7539c8ec3fd7c568bf9c51cdd8bd60e9d68365f10f2cd366b325604eed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2970748.exe
    Filesize

    294KB

    MD5

    1d88903282fc5d1c92ca4b6cc50dd4a3

    SHA1

    905ee46b6509e45c8db4750afaf647327ad54025

    SHA256

    908042a145926c0f95df5d32e4f4c501a917714b49a3fee7e488bdb43386c2ed

    SHA512

    cdf0e63e1f73fb397bac5328c1bf7abab2247e5b1fb95a5dcf5561b6e4d636c5f8f2bc7539c8ec3fd7c568bf9c51cdd8bd60e9d68365f10f2cd366b325604eed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1522977.exe
    Filesize

    492KB

    MD5

    1afdb616df957eb308785596eba487a7

    SHA1

    724818bf282a9ae5adcec71528ebf38a1477be22

    SHA256

    6896b9986a4ff26fc8aed087bf0eedfbee70be9cfe15865db629ab76d7534178

    SHA512

    e68b575739f35643b197316f6fe792603a68aca2d504979b3c3ff9bf75cbab27e03f38c03bf66776162a580a957f919f21c6e43a47fde03801feb0984112bd32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1522977.exe
    Filesize

    492KB

    MD5

    1afdb616df957eb308785596eba487a7

    SHA1

    724818bf282a9ae5adcec71528ebf38a1477be22

    SHA256

    6896b9986a4ff26fc8aed087bf0eedfbee70be9cfe15865db629ab76d7534178

    SHA512

    e68b575739f35643b197316f6fe792603a68aca2d504979b3c3ff9bf75cbab27e03f38c03bf66776162a580a957f919f21c6e43a47fde03801feb0984112bd32

    Download Submit

  • memory/2556-155-0x0000000001F50000-0x0000000001F8E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2556-154-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2556-164-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2556-167-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2556-162-0x0000000001F50000-0x0000000001F8E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2556-161-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2556-163-0x0000000002460000-0x0000000002461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4240-179-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4240-172-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4240-171-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4240-180-0x00000000005B0000-0x000000000063C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4240-182-0x000000000B4D0000-0x000000000BAE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4240-183-0x000000000BAF0000-0x000000000BBFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4240-185-0x0000000006CF0000-0x0000000006D02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4240-184-0x0000000006D70000-0x0000000006D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4240-186-0x0000000006D10000-0x0000000006D4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4240-187-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4240-188-0x0000000073D70000-0x0000000074520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4240-189-0x0000000006D70000-0x0000000006D80000-memory.dmp

    Filesize

    64KB

    Download