Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 22:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b20dc87b265c93b6666cb997a87c40df3a4d73fe7413216cd47b6c218d2408c5.exe

  • Size

    389KB

  • MD5

    a02e159b2a984bdb0d2d2559fba7269e

  • SHA1

    ff9ea0c81d4d05564b71b9a735bfdc7b32ef2573

  • SHA256

    b20dc87b265c93b6666cb997a87c40df3a4d73fe7413216cd47b6c218d2408c5

  • SHA512

    acdca84a2deab0eeef4b7c15405f5693be9d9badae41346a8fdb7deb52d4fdea2dcc32dd237c14e2c783946cd71baf5e652fc0fa2da62467e53eca8e1bd2168d

  • SSDEEP

    6144:Kay+bnr+zp0yN90QECc+rAA5WKkWxjZNSQRWcPFwyXAgm+Ernmzgga3lrmbkRhGy:uMrby90Ucz+QsZNkrYoh8QV

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b20dc87b265c93b6666cb997a87c40df3a4d73fe7413216cd47b6c218d2408c5.exe
    "C:\Users\Admin\AppData\Local\Temp\b20dc87b265c93b6666cb997a87c40df3a4d73fe7413216cd47b6c218d2408c5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7078072.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7078072.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2119255.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2119255.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4473893.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4473893.exe
        3⤵
        • Executes dropped EXE
        PID:3752

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7078072.exe
          Filesize

          206KB

          MD5

          4ba36568f6b78d954702e75b7a8bf45e

          SHA1

          ff4bc8f25dc1abaf371796c93ce806458f26a3cb

          SHA256

          a9820f497c7da24649bc11d6689005eb44ba277cfadaac06927e7f91a8f97b24

          SHA512

          41fca189ee7c7ab820e0339c8e1690bd083db387436878f1f89d6372a9f91d06bb4a90acadac893433f99173b95e056f3e0b25fc8339bee14a0536c6db384a66

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7078072.exe
          Filesize

          206KB

          MD5

          4ba36568f6b78d954702e75b7a8bf45e

          SHA1

          ff4bc8f25dc1abaf371796c93ce806458f26a3cb

          SHA256

          a9820f497c7da24649bc11d6689005eb44ba277cfadaac06927e7f91a8f97b24

          SHA512

          41fca189ee7c7ab820e0339c8e1690bd083db387436878f1f89d6372a9f91d06bb4a90acadac893433f99173b95e056f3e0b25fc8339bee14a0536c6db384a66

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2119255.exe
          Filesize

          14KB

          MD5

          b6d8535a4f01ee6353c1fc97729653b4

          SHA1

          46e8d22093f14941d719b0fd45ab255348de1cc0

          SHA256

          9764feb210d842bff640df3b406c99fe77492c0ee4cbfc22dd60d648b0ef8c1c

          SHA512

          732deb510f1bbf920f039311732aebc673771730b04c67a565210aaabccce4b10497863fb1599bfe320ca1a0d2964f4414b5c76f577abf840568b6b8a54d3c3a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2119255.exe
          Filesize

          14KB

          MD5

          b6d8535a4f01ee6353c1fc97729653b4

          SHA1

          46e8d22093f14941d719b0fd45ab255348de1cc0

          SHA256

          9764feb210d842bff640df3b406c99fe77492c0ee4cbfc22dd60d648b0ef8c1c

          SHA512

          732deb510f1bbf920f039311732aebc673771730b04c67a565210aaabccce4b10497863fb1599bfe320ca1a0d2964f4414b5c76f577abf840568b6b8a54d3c3a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4473893.exe
          Filesize

          173KB

          MD5

          92ceac1b359061b75a3d9ef94b66b3ce

          SHA1

          a49a59e8b7c966bd2d73f83eee85ac595be8a23b

          SHA256

          e581478e6e3edb9349df1d2edb60705e8f2bf19ca5d94b30630c24f4ba7b9515

          SHA512

          03aef779e834c61764360334bc51ab88f4655179ee4bb2ad2c61bfeab4acb57b1444a727837d9b82a23818595e4a5540010317f1288dba93826a2f695baebfc0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4473893.exe
          Filesize

          173KB

          MD5

          92ceac1b359061b75a3d9ef94b66b3ce

          SHA1

          a49a59e8b7c966bd2d73f83eee85ac595be8a23b

          SHA256

          e581478e6e3edb9349df1d2edb60705e8f2bf19ca5d94b30630c24f4ba7b9515

          SHA512

          03aef779e834c61764360334bc51ab88f4655179ee4bb2ad2c61bfeab4acb57b1444a727837d9b82a23818595e4a5540010317f1288dba93826a2f695baebfc0

          Download Submit

        • memory/3752-157-0x00000000059B0000-0x0000000005ABA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3752-155-0x0000000074590000-0x0000000074D40000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3752-154-0x0000000000F30000-0x0000000000F60000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3752-156-0x0000000005EC0000-0x00000000064D8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3752-158-0x0000000005890000-0x00000000058A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3752-159-0x00000000058C0000-0x00000000058D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3752-160-0x0000000005920000-0x000000000595C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3752-161-0x0000000074590000-0x0000000074D40000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3752-162-0x0000000005890000-0x00000000058A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4372-150-0x00007FF8EFC10000-0x00007FF8F06D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4372-148-0x00007FF8EFC10000-0x00007FF8F06D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4372-147-0x0000000000730000-0x000000000073A000-memory.dmp

          Filesize

          40KB

          Download