Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 18:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d8738ce3cc03096157c3756f7a5010583830f150867d84b0fdd4d0438c4228d1.exe

  • Size

    389KB

  • MD5

    d4b29e8f6dbaacd6afab3c5f240314da

  • SHA1

    637283774d25a6781c796bed544c49172be3d13f

  • SHA256

    d8738ce3cc03096157c3756f7a5010583830f150867d84b0fdd4d0438c4228d1

  • SHA512

    b2f76bea5ecbf4c45b3e5b6cfc51f466388ea68c0347d1bef84413ce201855b04b39540c3a4d1764df6e439ab3929e4bca334479a353e50a0114cbf6c7898fbe

  • SSDEEP

    6144:Koy+bnr+Dp0yN90QEdY/iSg47fs8FElg5qhE87Z0NeZUHkksptVXfQHZW:YMrjy90s/dgIsuElW8m8iHkZdfUW

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8738ce3cc03096157c3756f7a5010583830f150867d84b0fdd4d0438c4228d1.exe
    "C:\Users\Admin\AppData\Local\Temp\d8738ce3cc03096157c3756f7a5010583830f150867d84b0fdd4d0438c4228d1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2110235.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2110235.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1085134.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1085134.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0521568.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0521568.exe
        3⤵
        • Executes dropped EXE
        PID:4288
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1376

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2110235.exe
          Filesize

          206KB

          MD5

          6fbcb395e9decb41112e226211abd295

          SHA1

          807cb494d4628817208067a93aa97fb1deff7dfe

          SHA256

          787a3d3d375248bb8b492e65b53a3a763c4bfcfe751058c3d570b3c481f4abc0

          SHA512

          0a117cd75975b9568b8152bc73cfaa6d0399227537cd2efe4878977c2e398a97258a93c06fbfa40a66879d2a74139936c1a59b9a9e44fd3bff0e7e9bef437543

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2110235.exe
          Filesize

          206KB

          MD5

          6fbcb395e9decb41112e226211abd295

          SHA1

          807cb494d4628817208067a93aa97fb1deff7dfe

          SHA256

          787a3d3d375248bb8b492e65b53a3a763c4bfcfe751058c3d570b3c481f4abc0

          SHA512

          0a117cd75975b9568b8152bc73cfaa6d0399227537cd2efe4878977c2e398a97258a93c06fbfa40a66879d2a74139936c1a59b9a9e44fd3bff0e7e9bef437543

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1085134.exe
          Filesize

          13KB

          MD5

          c0f7c7d486b9cccd0c7915a132536bff

          SHA1

          473416639b633c0ad99f42f4918ff04bb8a28793

          SHA256

          9646391a4aa3189d0c367025621b62398d48fc4a93d64b3fb917466accb7ed9a

          SHA512

          6f8d79f2e65168601084f5843e2ae1944c6044fe7f8fbe36ac2d67fa34137e0c2b5463cf4372c6b7189abf35cba7242be0cc182cd52d933d354ada6fb4908383

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1085134.exe
          Filesize

          13KB

          MD5

          c0f7c7d486b9cccd0c7915a132536bff

          SHA1

          473416639b633c0ad99f42f4918ff04bb8a28793

          SHA256

          9646391a4aa3189d0c367025621b62398d48fc4a93d64b3fb917466accb7ed9a

          SHA512

          6f8d79f2e65168601084f5843e2ae1944c6044fe7f8fbe36ac2d67fa34137e0c2b5463cf4372c6b7189abf35cba7242be0cc182cd52d933d354ada6fb4908383

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0521568.exe
          Filesize

          174KB

          MD5

          46420d23ed279ba28274968dd98994d1

          SHA1

          14932597aef53895c86e1cac2871291e76846816

          SHA256

          c53b3b107724bfe5cd2ec26f161b62ce63feb0acb5a1697b7af8d1d68f3de290

          SHA512

          cadb14858a917c6adccddc6138f761073b4080855660ac7f926d7bf7a131f462dd8c77034d0366e6df2fbf7830cdb5352f6f29b876f23e22ae901094d27ba6fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0521568.exe
          Filesize

          174KB

          MD5

          46420d23ed279ba28274968dd98994d1

          SHA1

          14932597aef53895c86e1cac2871291e76846816

          SHA256

          c53b3b107724bfe5cd2ec26f161b62ce63feb0acb5a1697b7af8d1d68f3de290

          SHA512

          cadb14858a917c6adccddc6138f761073b4080855660ac7f926d7bf7a131f462dd8c77034d0366e6df2fbf7830cdb5352f6f29b876f23e22ae901094d27ba6fb

          Download Submit

        • memory/4288-157-0x0000000005B00000-0x0000000005C0A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4288-154-0x0000000000F60000-0x0000000000F90000-memory.dmp

          Filesize

          192KB

          Download

        • memory/4288-155-0x0000000073DE0000-0x0000000074590000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4288-156-0x0000000006010000-0x0000000006628000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4288-159-0x00000000057E0000-0x00000000057F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4288-158-0x0000000005A30000-0x0000000005A42000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4288-160-0x0000000005A90000-0x0000000005ACC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4288-161-0x0000000073DE0000-0x0000000074590000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4288-162-0x00000000057E0000-0x00000000057F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4500-150-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4500-148-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4500-147-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

          Filesize

          40KB

          Download