Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 19:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    93cc2d27d45225b83ea1c77dc105b9c92aac74917593100c4e6940f5f0e4dc72.exe

  • Size

    389KB

  • MD5

    3cae94f4d460b740684a15bf30e56883

  • SHA1

    e15f506e7ee51d4d0e44638a364ba1b2467714f8

  • SHA256

    93cc2d27d45225b83ea1c77dc105b9c92aac74917593100c4e6940f5f0e4dc72

  • SHA512

    5f95833ead25dbc86081434bc50bd86c7da73fa3799c3da7556c4c324f40cb81beb18130339addd226d451351af79ce80deadbfd90df0a02062a9496b8bfdafa

  • SSDEEP

    6144:Kfy+bnr+2p0yN90QE3Gf5DO9kW8PZNw3hEZLd8UyGntSUASt3T5wZsrYho8p:pMrSy90AxDOHEZh7SMt39mThoG

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93cc2d27d45225b83ea1c77dc105b9c92aac74917593100c4e6940f5f0e4dc72.exe
    "C:\Users\Admin\AppData\Local\Temp\93cc2d27d45225b83ea1c77dc105b9c92aac74917593100c4e6940f5f0e4dc72.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7320450.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7320450.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1014187.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1014187.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5712245.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5712245.exe
        3⤵
        • Executes dropped EXE
        PID:4828

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7320450.exe
          Filesize

          206KB

          MD5

          f9dfc47edf26085924d691932ad2f96b

          SHA1

          be7c5b34aca5cb7fbed4e934c4ae681c65343667

          SHA256

          d1479cb435eb45754045fea2870fd47db4bcc46ea3425adf0cd9e31ef1aef43c

          SHA512

          a78d49cf3f0d17f1f57b4fd5788867e3b0afe63dbe7f301b32499b1dc480e6ee544816a292a9d30a219415b7e856cd5295f88b505a95e6a36385e61e31a1e7f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7320450.exe
          Filesize

          206KB

          MD5

          f9dfc47edf26085924d691932ad2f96b

          SHA1

          be7c5b34aca5cb7fbed4e934c4ae681c65343667

          SHA256

          d1479cb435eb45754045fea2870fd47db4bcc46ea3425adf0cd9e31ef1aef43c

          SHA512

          a78d49cf3f0d17f1f57b4fd5788867e3b0afe63dbe7f301b32499b1dc480e6ee544816a292a9d30a219415b7e856cd5295f88b505a95e6a36385e61e31a1e7f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1014187.exe
          Filesize

          14KB

          MD5

          13e995216f5c3bd5f030f650241e7dbd

          SHA1

          0d70f76e8fd00926b7b4c802e28fd362c0837126

          SHA256

          b55b7858d91a400e25383d93665a414755124188cb82006bff40a3c6a40fa3d3

          SHA512

          3c891a886ebaa5caac301e97512bf77f5f7940b287c1467348d29aafd0002ee8cb88554296127884b921eb47716a974bc4df47d790dadcd21d05f87b5cc82276

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1014187.exe
          Filesize

          14KB

          MD5

          13e995216f5c3bd5f030f650241e7dbd

          SHA1

          0d70f76e8fd00926b7b4c802e28fd362c0837126

          SHA256

          b55b7858d91a400e25383d93665a414755124188cb82006bff40a3c6a40fa3d3

          SHA512

          3c891a886ebaa5caac301e97512bf77f5f7940b287c1467348d29aafd0002ee8cb88554296127884b921eb47716a974bc4df47d790dadcd21d05f87b5cc82276

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5712245.exe
          Filesize

          173KB

          MD5

          73dd2c796c2d354236ccbae5756abd16

          SHA1

          924bd0a3bd68831e5410c3f8372247f57056ef01

          SHA256

          ce2933cc64a375bfc4a9de84575220e8d7dece94615a0b6c29f9929d41660d32

          SHA512

          a96e1a6dc77dc113e4e166aeaeb5490e2e070517a36db9dd90d48a2ecce72974623d9ba4943fa40d9b9e26cfdd4acae4c94895e1fc234fede3c447bf36f5fa1c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5712245.exe
          Filesize

          173KB

          MD5

          73dd2c796c2d354236ccbae5756abd16

          SHA1

          924bd0a3bd68831e5410c3f8372247f57056ef01

          SHA256

          ce2933cc64a375bfc4a9de84575220e8d7dece94615a0b6c29f9929d41660d32

          SHA512

          a96e1a6dc77dc113e4e166aeaeb5490e2e070517a36db9dd90d48a2ecce72974623d9ba4943fa40d9b9e26cfdd4acae4c94895e1fc234fede3c447bf36f5fa1c

          Download Submit

        • memory/2524-153-0x00007FFC2BE70000-0x00007FFC2C931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2524-148-0x00007FFC2BE70000-0x00007FFC2C931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2524-147-0x0000000000230000-0x000000000023A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4828-154-0x0000000000710000-0x0000000000740000-memory.dmp

          Filesize

          192KB

          Download

        • memory/4828-155-0x0000000074AB0000-0x0000000075260000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4828-156-0x0000000005870000-0x0000000005E88000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4828-157-0x0000000005360000-0x000000000546A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4828-158-0x0000000005140000-0x0000000005150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4828-159-0x00000000050D0000-0x00000000050E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4828-160-0x0000000005250000-0x000000000528C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4828-161-0x0000000074AB0000-0x0000000075260000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4828-162-0x0000000005140000-0x0000000005150000-memory.dmp

          Filesize

          64KB

          Download