Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    953317f4b9fe7c635a7e567bc8364004a924201e132d32b4b52e3e8ddc186107.exe

  • Size

    389KB

  • MD5

    8460839d88470abc63cb8b0627566bf9

  • SHA1

    d2d3a870c95135379130e0c8a1a6454dde7eb346

  • SHA256

    953317f4b9fe7c635a7e567bc8364004a924201e132d32b4b52e3e8ddc186107

  • SHA512

    6289d16e5ba5236ee45bfc9eca6b58ed740e7ee0a7c3fc99b6c96b5e7533bf7384121f9166e6f79fdcc17dc20613d3485b510d350be5ad86becc5db842459e84

  • SSDEEP

    6144:K1y+bnr+ep0yN90QEn6DP5m21srlPhkxPb27HSZt8nlzcVF9SF+zrotU0Ky:zMray908Dhm21srlORiY8lvFCU1

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\953317f4b9fe7c635a7e567bc8364004a924201e132d32b4b52e3e8ddc186107.exe
    "C:\Users\Admin\AppData\Local\Temp\953317f4b9fe7c635a7e567bc8364004a924201e132d32b4b52e3e8ddc186107.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1682308.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1682308.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7738617.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7738617.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5838206.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5838206.exe
        3⤵
        • Executes dropped EXE
        PID:3384
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:2472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1682308.exe
    Filesize

    206KB

    MD5

    45670307210ea2d13188590a65ef4d52

    SHA1

    accdfc52272755a4911f376663f4cc4a19549e09

    SHA256

    15c363b40e9d8c40bfcae71e938c00297023a6e86d5af7d206dd61d01462287f

    SHA512

    0c031d53d2332af4b282c6ee325a98c75c2b858aaf354f5951b4b64596f340a1f7d6974f0c0a5470452e2efe4cd4b8851a6aafd8c370f7580294cff3dec0464b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1682308.exe
    Filesize

    206KB

    MD5

    45670307210ea2d13188590a65ef4d52

    SHA1

    accdfc52272755a4911f376663f4cc4a19549e09

    SHA256

    15c363b40e9d8c40bfcae71e938c00297023a6e86d5af7d206dd61d01462287f

    SHA512

    0c031d53d2332af4b282c6ee325a98c75c2b858aaf354f5951b4b64596f340a1f7d6974f0c0a5470452e2efe4cd4b8851a6aafd8c370f7580294cff3dec0464b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7738617.exe
    Filesize

    14KB

    MD5

    401d935743b951c182a66102839d1ce1

    SHA1

    f430e91135b8781bd899177ad775ec4a3ef6d406

    SHA256

    6e63c3ec76b7ce479b255d968b3c4a9eb8999590cd050018dc171101f7f16cca

    SHA512

    c7c095ee8e9fd820931ffb48b85299edd92a8b8fe264a6a5e0a7bb137765ea8c217f7bfdd60af43b78d4ccb2a2ad41caed4d426875b57baee7ff6848211b6ed2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7738617.exe
    Filesize

    14KB

    MD5

    401d935743b951c182a66102839d1ce1

    SHA1

    f430e91135b8781bd899177ad775ec4a3ef6d406

    SHA256

    6e63c3ec76b7ce479b255d968b3c4a9eb8999590cd050018dc171101f7f16cca

    SHA512

    c7c095ee8e9fd820931ffb48b85299edd92a8b8fe264a6a5e0a7bb137765ea8c217f7bfdd60af43b78d4ccb2a2ad41caed4d426875b57baee7ff6848211b6ed2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5838206.exe
    Filesize

    172KB

    MD5

    ad5bc0c86c062af70650d025f2232840

    SHA1

    026ec6636162136f044e1a82558eee880f755bca

    SHA256

    2318810d24bab47008d3dec198f922bf442b437591629a29c971a636bef8aed3

    SHA512

    c1be37eba3784ea83b3f6e6e5babc1347d44b5b8327c2db94a90b4d2213c4b34e861aa935ff78562983838002da2bcb70506df7cb4f842b533b55cf60d264d1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5838206.exe
    Filesize

    172KB

    MD5

    ad5bc0c86c062af70650d025f2232840

    SHA1

    026ec6636162136f044e1a82558eee880f755bca

    SHA256

    2318810d24bab47008d3dec198f922bf442b437591629a29c971a636bef8aed3

    SHA512

    c1be37eba3784ea83b3f6e6e5babc1347d44b5b8327c2db94a90b4d2213c4b34e861aa935ff78562983838002da2bcb70506df7cb4f842b533b55cf60d264d1e

    Download Submit

  • memory/3384-157-0x000000000A0F0000-0x000000000A1FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3384-155-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3384-154-0x0000000000140000-0x0000000000170000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3384-156-0x000000000A5B0000-0x000000000ABC8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3384-159-0x000000000A030000-0x000000000A042000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3384-158-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3384-160-0x000000000A090000-0x000000000A0CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3384-161-0x00000000740D0000-0x0000000074880000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3384-162-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4456-150-0x00007FFB2F470000-0x00007FFB2FF31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4456-148-0x00007FFB2F470000-0x00007FFB2FF31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4456-147-0x00000000001E0000-0x00000000001EA000-memory.dmp

    Filesize

    40KB

    Download