Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a51506822471b2f699afa9abb7d24300e051a17060e0953f92697c72351c688.exe

  • Size

    389KB

  • MD5

    5f286d0fd40cd9646aeaee18e17a75d7

  • SHA1

    28c1a00a6428ddd44ec0eb952ec1e5b80b475768

  • SHA256

    7a51506822471b2f699afa9abb7d24300e051a17060e0953f92697c72351c688

  • SHA512

    09abb3a3d45d7b44db2cbb2994b0bb29ecc6ba1ffb74399c2de8a9d19423218342a0d0a8dcd2166c410c3541f2ecc7ab3775916ab25bcbcf81ce6eb020d1b97d

  • SSDEEP

    6144:Ksy+bnr+cp0yN90QEg/+X5WrF6eUhtjeXoOuwzpBEhbsgnlTuy5+Oy3mJ+4sqx:gMrky90+2XAGjeY/EpChwgn5+W2qx

Score
10/10
healerredlineromadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a51506822471b2f699afa9abb7d24300e051a17060e0953f92697c72351c688.exe
    "C:\Users\Admin\AppData\Local\Temp\7a51506822471b2f699afa9abb7d24300e051a17060e0953f92697c72351c688.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2946977.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2946977.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7285043.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7285043.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6961113.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6961113.exe
        3⤵
        • Executes dropped EXE
        PID:3552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2946977.exe
    Filesize

    206KB

    MD5

    7347ee43261a24c9442b38729640f0dc

    SHA1

    4148f61457368efae9f2b1fa06f090514065bc86

    SHA256

    b24abcbbbfa891f1143af55c2d833a609143a647c4082ea671d38bd80fe33b7c

    SHA512

    1be4b4fdf954c817660577620e44538c43c389c1c03d9e251e49ee7d39920340876c088394690b78505c63c20fb5d5c068d6c09d2d9b08be91ef7f15def96ac3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2946977.exe
    Filesize

    206KB

    MD5

    7347ee43261a24c9442b38729640f0dc

    SHA1

    4148f61457368efae9f2b1fa06f090514065bc86

    SHA256

    b24abcbbbfa891f1143af55c2d833a609143a647c4082ea671d38bd80fe33b7c

    SHA512

    1be4b4fdf954c817660577620e44538c43c389c1c03d9e251e49ee7d39920340876c088394690b78505c63c20fb5d5c068d6c09d2d9b08be91ef7f15def96ac3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7285043.exe
    Filesize

    13KB

    MD5

    ad052e2c6588fd1a249bcf9e30de4109

    SHA1

    d7dc263a061744d420bb36afaae1f3252784d77a

    SHA256

    080a9cd8883f488b045673663398aebc924fc75cfac64338fb2e06c8741c2bf2

    SHA512

    557947438c1048b6629c82643e483ea7b8682fbd4615225d26bbdebf1b6dd372c35362fa772498fa9ced0de9b94fb476b4590f84d743e00d551057ca65601368

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7285043.exe
    Filesize

    13KB

    MD5

    ad052e2c6588fd1a249bcf9e30de4109

    SHA1

    d7dc263a061744d420bb36afaae1f3252784d77a

    SHA256

    080a9cd8883f488b045673663398aebc924fc75cfac64338fb2e06c8741c2bf2

    SHA512

    557947438c1048b6629c82643e483ea7b8682fbd4615225d26bbdebf1b6dd372c35362fa772498fa9ced0de9b94fb476b4590f84d743e00d551057ca65601368

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6961113.exe
    Filesize

    175KB

    MD5

    9f56264e8a7cca7bddd7c373b82b0e41

    SHA1

    e830ec14da5613c04747935d0dd85c80f689a092

    SHA256

    7153abaafeec44d23dbcb717d5e0946663306feb1ca57ebef7f3ffc37ce6abc0

    SHA512

    a60c34e4379b16f00fe6f51b17ad044d0261219b648fc6d42047cc807a9eb4982bd46d3e00d4777f88332acd6b7d7b2721edc4f606fbd2dde9796432aa35fcbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6961113.exe
    Filesize

    175KB

    MD5

    9f56264e8a7cca7bddd7c373b82b0e41

    SHA1

    e830ec14da5613c04747935d0dd85c80f689a092

    SHA256

    7153abaafeec44d23dbcb717d5e0946663306feb1ca57ebef7f3ffc37ce6abc0

    SHA512

    a60c34e4379b16f00fe6f51b17ad044d0261219b648fc6d42047cc807a9eb4982bd46d3e00d4777f88332acd6b7d7b2721edc4f606fbd2dde9796432aa35fcbe

    Download Submit

  • memory/636-150-0x0000000000B30000-0x0000000000B3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/636-154-0x00007FFA57060000-0x00007FFA57B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/636-152-0x00007FFA57060000-0x00007FFA57B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/636-151-0x00007FFA57060000-0x00007FFA57B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3552-158-0x0000000074700000-0x0000000074EB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3552-159-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3552-160-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3552-161-0x000000000AC10000-0x000000000AD1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3552-163-0x000000000AB50000-0x000000000AB62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3552-162-0x0000000005710000-0x0000000005720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3552-164-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3552-165-0x0000000074700000-0x0000000074EB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3552-166-0x0000000005710000-0x0000000005720000-memory.dmp

    Filesize

    64KB

    Download