Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18/07/2023, 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83c73d0d9518dc6648db99281be89a279029f9c36a885ed039bb92cc3cbbdf5b.exe

  • Size

    389KB

  • MD5

    c139fbd1b4725c51d2e4067096f4c83b

  • SHA1

    c2f984b1193b36ac7ecf78eeff9d69e230ef31e7

  • SHA256

    83c73d0d9518dc6648db99281be89a279029f9c36a885ed039bb92cc3cbbdf5b

  • SHA512

    02876c1cf94625ff396adb18bd5a61c55a2a2f21e52a50f43217a8d7432bddaa1e63985614180b0a7e4de6af034730bb1387bf8c1b529a06839af2e3c7782407

  • SSDEEP

    6144:KNy+bnr+Np0yN90QE4d17xtq2+xXsGn3F/b1Wj8Xlrp:rMr5y90OdNxuxbVT/D

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83c73d0d9518dc6648db99281be89a279029f9c36a885ed039bb92cc3cbbdf5b.exe
    "C:\Users\Admin\AppData\Local\Temp\83c73d0d9518dc6648db99281be89a279029f9c36a885ed039bb92cc3cbbdf5b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7186535.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7186535.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1135636.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1135636.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0394142.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0394142.exe
        3⤵
        • Executes dropped EXE
        PID:3152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7186535.exe
    Filesize

    206KB

    MD5

    fe4b924d781c47ba46791cfc4820b5e3

    SHA1

    a9e77643bd720e3abf8a13401c71c42f19f54595

    SHA256

    1e42670c4944424af4e3789ec744cf3dbc92ccaf7002e1470395c45b76e8ccbc

    SHA512

    8d7414bb508baa5bedd0059f044113b2bc3904f12aa7df9ab59cc0ba7c7463ad00dc0548abd2650f78093039665698888c193467235e3beecff5c05eb500f6a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7186535.exe
    Filesize

    206KB

    MD5

    fe4b924d781c47ba46791cfc4820b5e3

    SHA1

    a9e77643bd720e3abf8a13401c71c42f19f54595

    SHA256

    1e42670c4944424af4e3789ec744cf3dbc92ccaf7002e1470395c45b76e8ccbc

    SHA512

    8d7414bb508baa5bedd0059f044113b2bc3904f12aa7df9ab59cc0ba7c7463ad00dc0548abd2650f78093039665698888c193467235e3beecff5c05eb500f6a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1135636.exe
    Filesize

    13KB

    MD5

    08472a5304beae54178f450247d8075c

    SHA1

    542522a353df144a8b6c21cd7af9fcccf21a5471

    SHA256

    d8b83432045e9b8de008d6640cc99cb2a8af7c2db2fdb75650e3566fa4213087

    SHA512

    59e93ffb2eed1492e7efc9be382147dbf9a3fc314d9ee92e984cd3ca2aeb2a15b96ada4ece6fd681adfb92f7023f11283852ff72a5c079306d7c7e8da0de6e05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1135636.exe
    Filesize

    13KB

    MD5

    08472a5304beae54178f450247d8075c

    SHA1

    542522a353df144a8b6c21cd7af9fcccf21a5471

    SHA256

    d8b83432045e9b8de008d6640cc99cb2a8af7c2db2fdb75650e3566fa4213087

    SHA512

    59e93ffb2eed1492e7efc9be382147dbf9a3fc314d9ee92e984cd3ca2aeb2a15b96ada4ece6fd681adfb92f7023f11283852ff72a5c079306d7c7e8da0de6e05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0394142.exe
    Filesize

    174KB

    MD5

    8a621b09faa7f4b6c82b793b5a66b545

    SHA1

    6e4296a685f1cff0a6a553ea58c3f2f77009e19d

    SHA256

    5b00060982b31611a906c7ed707e6bc6ade0e82e434c9df70473748099d1d476

    SHA512

    fb22ca40a2636ddcdf913753552a6d1efe6695ec5e9f2014ff7c7b5677eadd70d415708a57a4836bac8fdf2dd0698af6169e4b7dbf6649f80fe2e7f2c3f27b3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0394142.exe
    Filesize

    174KB

    MD5

    8a621b09faa7f4b6c82b793b5a66b545

    SHA1

    6e4296a685f1cff0a6a553ea58c3f2f77009e19d

    SHA256

    5b00060982b31611a906c7ed707e6bc6ade0e82e434c9df70473748099d1d476

    SHA512

    fb22ca40a2636ddcdf913753552a6d1efe6695ec5e9f2014ff7c7b5677eadd70d415708a57a4836bac8fdf2dd0698af6169e4b7dbf6649f80fe2e7f2c3f27b3b

    Download Submit

  • memory/3152-142-0x000000000A530000-0x000000000AB36000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3152-139-0x0000000000250000-0x0000000000280000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3152-140-0x0000000072DE0000-0x00000000734CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3152-141-0x0000000004910000-0x0000000004916000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3152-143-0x000000000A060000-0x000000000A16A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3152-144-0x0000000009F90000-0x0000000009FA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3152-145-0x0000000009FF0000-0x000000000A02E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3152-146-0x000000000A170000-0x000000000A1BB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3152-147-0x0000000072DE0000-0x00000000734CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4184-135-0x00007FFD62310000-0x00007FFD62CFC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4184-133-0x00007FFD62310000-0x00007FFD62CFC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4184-132-0x0000000000430000-0x000000000043A000-memory.dmp

    Filesize

    40KB

    Download