Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/07/2023, 08:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b5e54ca36b6b82d5852d1de217661f2af2d7cf5b749749be20e35028c9a69d54.exe

  • Size

    918KB

  • MD5

    b7d837f580bd6544892344609153acab

  • SHA1

    1450878c196a0a6ac9eef5242f937c5fa48c2638

  • SHA256

    b5e54ca36b6b82d5852d1de217661f2af2d7cf5b749749be20e35028c9a69d54

  • SHA512

    62fc6c022c9d44ab250afff0246187b2032213685d6b7e8b26571f40f90302517446f4309fc75b03ff7118907c9afd2ac2fbe30cdce51e5124e9e72e0a3a1e67

  • SSDEEP

    12288:0Mryy90gPeR1T6qU2B8Aty9zEngECOfKc7804yqTIzLy74XEYvkxykhoGgdeXxuQ:eyybQ2YzEn6OVA0z+MXEQkLCi/7G1E

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5e54ca36b6b82d5852d1de217661f2af2d7cf5b749749be20e35028c9a69d54.exe
    "C:\Users\Admin\AppData\Local\Temp\b5e54ca36b6b82d5852d1de217661f2af2d7cf5b749749be20e35028c9a69d54.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8224757.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8224757.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490279.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490279.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4356961.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4356961.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3044
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8790319.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8790319.exe
          4⤵
          • Executes dropped EXE
          PID:4420

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
          Filesize

          226B

          MD5

          957779c42144282d8cd83192b8fbc7cf

          SHA1

          de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

          SHA256

          0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

          SHA512

          f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8224757.exe
          Filesize

          762KB

          MD5

          39bb4eda069f2d4e77f072f9a517845a

          SHA1

          38291003b07d0c0be5bc748d834766263991eaa3

          SHA256

          8b34b904fafa31c911b2ef66baee8e0714146f38e53e2bd7216ec8beb73c4f50

          SHA512

          cc3dfb5d6b8efd206ff9ad7091c22aa6156906508bf11ecab6f6bc10288a73873b0ee07d3efcf83308adb3d4acf99fb63140f7501a38d91fa4e6f8bcd5b9650b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8224757.exe
          Filesize

          762KB

          MD5

          39bb4eda069f2d4e77f072f9a517845a

          SHA1

          38291003b07d0c0be5bc748d834766263991eaa3

          SHA256

          8b34b904fafa31c911b2ef66baee8e0714146f38e53e2bd7216ec8beb73c4f50

          SHA512

          cc3dfb5d6b8efd206ff9ad7091c22aa6156906508bf11ecab6f6bc10288a73873b0ee07d3efcf83308adb3d4acf99fb63140f7501a38d91fa4e6f8bcd5b9650b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490279.exe
          Filesize

          579KB

          MD5

          681e70d9207bb641d9354abe3a15e54e

          SHA1

          135ff4e34b0de63de0664d31078119c408ef955a

          SHA256

          d4d23a7be2b3756fdc8dfb91c1514a4b17ce88d19a773d2cc2f7283285bc04ea

          SHA512

          94da5241dbe20fb557c8bed40f0a94a1f871dbed0c7004725835598fb798545c05319deb1191ae7a67566e27868157bd60b5614bd0db291a9ea63fda7671b077

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490279.exe
          Filesize

          579KB

          MD5

          681e70d9207bb641d9354abe3a15e54e

          SHA1

          135ff4e34b0de63de0664d31078119c408ef955a

          SHA256

          d4d23a7be2b3756fdc8dfb91c1514a4b17ce88d19a773d2cc2f7283285bc04ea

          SHA512

          94da5241dbe20fb557c8bed40f0a94a1f871dbed0c7004725835598fb798545c05319deb1191ae7a67566e27868157bd60b5614bd0db291a9ea63fda7671b077

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4356961.exe
          Filesize

          294KB

          MD5

          d69cf823a1155acb56e482661f416478

          SHA1

          bfed87469abaec8162a28de3648c789a84a5c8f9

          SHA256

          2c665880663f0a8d45284c51340eb6187e091eb81c748a1b20e63ece7f0f6421

          SHA512

          a42895b80a257dedf54da58735e5fcfbe7e8a95fbec34d0eed5bcfa4d9d76cd71f127d1ce8c1ecf20ab31fc89c96dd6fa46cce99bad6faf607152fd3b3fa2f89

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4356961.exe
          Filesize

          294KB

          MD5

          d69cf823a1155acb56e482661f416478

          SHA1

          bfed87469abaec8162a28de3648c789a84a5c8f9

          SHA256

          2c665880663f0a8d45284c51340eb6187e091eb81c748a1b20e63ece7f0f6421

          SHA512

          a42895b80a257dedf54da58735e5fcfbe7e8a95fbec34d0eed5bcfa4d9d76cd71f127d1ce8c1ecf20ab31fc89c96dd6fa46cce99bad6faf607152fd3b3fa2f89

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8790319.exe
          Filesize

          491KB

          MD5

          b98f34f29782f68323a4c1cdf033c9e0

          SHA1

          6887d1af5eefabe5b6cd1d64c0aa5a82b5e4a5f3

          SHA256

          a9a107941e6aaf43f011c282fb38f5112b012c97489bfa280101cac0ddd165f1

          SHA512

          fe718b3e2a40c64e5d095a3ee0dd19a6febcf61ab05edfe389aa96c9388b10563e89f04431afb266256842988fcf38db224658ab3b29890cd69f089b8b53fcbb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8790319.exe
          Filesize

          491KB

          MD5

          b98f34f29782f68323a4c1cdf033c9e0

          SHA1

          6887d1af5eefabe5b6cd1d64c0aa5a82b5e4a5f3

          SHA256

          a9a107941e6aaf43f011c282fb38f5112b012c97489bfa280101cac0ddd165f1

          SHA512

          fe718b3e2a40c64e5d095a3ee0dd19a6febcf61ab05edfe389aa96c9388b10563e89f04431afb266256842988fcf38db224658ab3b29890cd69f089b8b53fcbb

          Download Submit

        • memory/3044-143-0x0000000000810000-0x000000000084E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3044-142-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/3044-152-0x0000000000400000-0x000000000044E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/3044-153-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3044-156-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3044-150-0x0000000000810000-0x000000000084E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3044-149-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3044-151-0x0000000002440000-0x0000000002441000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4420-160-0x0000000001FC0000-0x000000000204C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/4420-161-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/4420-168-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4420-169-0x0000000001FC0000-0x000000000204C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/4420-171-0x00000000043E0000-0x00000000043E6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4420-172-0x00000000049C0000-0x0000000004FC6000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4420-173-0x0000000005020000-0x000000000512A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4420-174-0x0000000005150000-0x0000000005162000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4420-175-0x0000000005170000-0x00000000051AE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4420-176-0x00000000051E0000-0x000000000522B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4420-177-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/4420-178-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download