Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b529184a968e187d8e3c1fb1d4133608e61ff7f7e95fc84098679ae5339f907e.exe

  • Size

    389KB

  • MD5

    dc040decb5b2c6d9ecea559a7c5adc75

  • SHA1

    e86cf376c49fb3c5c44ba7a16adbb3fe210621f1

  • SHA256

    b529184a968e187d8e3c1fb1d4133608e61ff7f7e95fc84098679ae5339f907e

  • SHA512

    8a76c94b058a49678440aadb905a60c74b75076d019d8f53098bdfe927e5a6736eef0889be74d489cfaf1cb8648aec3ee9e41590986bce116762423af6de6df0

  • SSDEEP

    6144:Kpy+bnr+ep0yN90QE9ktVd8DkWcnZNbQR59iq/PMGNZleISatV2xPN8n6degk6uz:rMriy90LkHdN6nfzG86IF

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b529184a968e187d8e3c1fb1d4133608e61ff7f7e95fc84098679ae5339f907e.exe
    "C:\Users\Admin\AppData\Local\Temp\b529184a968e187d8e3c1fb1d4133608e61ff7f7e95fc84098679ae5339f907e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4546804.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4546804.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9028422.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9028422.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3704
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8754031.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8754031.exe
        3⤵
        • Executes dropped EXE
        PID:3824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4546804.exe
    Filesize

    206KB

    MD5

    1ae81ee65d5f4844b00c6acaab3879c7

    SHA1

    41727f9b14d383d9f1c81a5f694b2e70df7d9c1a

    SHA256

    59e6b06484b1f5ea0b1fc60f1538b648b33ccab92338b0aa254163be57e96e88

    SHA512

    8aa7da0ebfa95fb1b3c96eadbedd73a386e48ff5387b992988b43c88e754045701a6b9083fd245aba8fd1cc195487466e150fc267232fa662c85cf9a6ed4863b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4546804.exe
    Filesize

    206KB

    MD5

    1ae81ee65d5f4844b00c6acaab3879c7

    SHA1

    41727f9b14d383d9f1c81a5f694b2e70df7d9c1a

    SHA256

    59e6b06484b1f5ea0b1fc60f1538b648b33ccab92338b0aa254163be57e96e88

    SHA512

    8aa7da0ebfa95fb1b3c96eadbedd73a386e48ff5387b992988b43c88e754045701a6b9083fd245aba8fd1cc195487466e150fc267232fa662c85cf9a6ed4863b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9028422.exe
    Filesize

    14KB

    MD5

    175c4e2ac002cb35f48ba3dd1fccea31

    SHA1

    06713e5403e736c2a1f7b7e45ab85977e0548af0

    SHA256

    603d54329427db981a3bc8db57158ef07cdb5e97fb6b97032b4afe67f183ca14

    SHA512

    74a422a3604c23394cf89ce00ae341aa475561e8a83ddb965bcac848e23f4d6ca051089791e265186a3958f316692af94a9b922b75d1484b89883efc4104dca1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9028422.exe
    Filesize

    14KB

    MD5

    175c4e2ac002cb35f48ba3dd1fccea31

    SHA1

    06713e5403e736c2a1f7b7e45ab85977e0548af0

    SHA256

    603d54329427db981a3bc8db57158ef07cdb5e97fb6b97032b4afe67f183ca14

    SHA512

    74a422a3604c23394cf89ce00ae341aa475561e8a83ddb965bcac848e23f4d6ca051089791e265186a3958f316692af94a9b922b75d1484b89883efc4104dca1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8754031.exe
    Filesize

    172KB

    MD5

    9db49e0699e91bd6432e0709b840d098

    SHA1

    57f693cb5ab91aabf31b4065b49e340b7b185c88

    SHA256

    f3ee188c13942e52dd3dc6a4e804c4f1f07c307c1cb2287fcde7293f9d27b1d8

    SHA512

    90ceaf432e7712db57218350e138f5e034d8356d3afb5e349dbe69ff0de9330913e6a833ad0a2ca50ca82805aa70dbb00f0e0024e78f590a84f1bd80a473f59a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8754031.exe
    Filesize

    172KB

    MD5

    9db49e0699e91bd6432e0709b840d098

    SHA1

    57f693cb5ab91aabf31b4065b49e340b7b185c88

    SHA256

    f3ee188c13942e52dd3dc6a4e804c4f1f07c307c1cb2287fcde7293f9d27b1d8

    SHA512

    90ceaf432e7712db57218350e138f5e034d8356d3afb5e349dbe69ff0de9330913e6a833ad0a2ca50ca82805aa70dbb00f0e0024e78f590a84f1bd80a473f59a

    Download Submit

  • memory/3704-147-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3704-152-0x00007FFC5BCB0000-0x00007FFC5C771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3704-148-0x00007FFC5BCB0000-0x00007FFC5C771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3824-154-0x00000000002F0000-0x0000000000320000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3824-155-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-156-0x00000000052E0000-0x00000000058F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3824-157-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3824-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3824-159-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3824-160-0x0000000004D00000-0x0000000004D3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3824-161-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-162-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

    Filesize

    64KB

    Download