Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2023 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e186d15ae0a6bb5e30aa3d14c1841114769bc6165b757b5ed9de23f8e8911ba1.exe

  • Size

    389KB

  • MD5

    ac742d9be518b47a9d42b5b784a9e3e2

  • SHA1

    6bebcb288c5fb69b37be8fcdcb5997dc1b9e03a6

  • SHA256

    e186d15ae0a6bb5e30aa3d14c1841114769bc6165b757b5ed9de23f8e8911ba1

  • SHA512

    476465fea7cc5578ae4578777e1cd7e08900e5fc3f406904455e4c9176a82556c021ead6462f3f26093480d5ab166db77abde826f048b9d63f3fa8b1a5b48e37

  • SSDEEP

    12288:rMrPy90egsnucuqzAV1f/0AIatWQzjg1l:cyqsnGFsAVWd1l

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e186d15ae0a6bb5e30aa3d14c1841114769bc6165b757b5ed9de23f8e8911ba1.exe
    "C:\Users\Admin\AppData\Local\Temp\e186d15ae0a6bb5e30aa3d14c1841114769bc6165b757b5ed9de23f8e8911ba1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8430101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8430101.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2580264.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2580264.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6601247.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6601247.exe
        3⤵
        • Executes dropped EXE
        PID:864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8430101.exe
    Filesize

    206KB

    MD5

    d07e4ec995d8599d8769d21854fe1552

    SHA1

    61573cc9fac86744492765dc1177b77941eccaef

    SHA256

    3398fec28faf65520057f7254ca75e30d6850bbfb7ec234c1ec5453894e8dbac

    SHA512

    3e5718dedf7e881979b0591788a8e8a4a0abd8bbd89955723ead9a96f8380457ddffd86113ebedf467f444865ef83e25d506ab31a3605769bbfec810cc767501

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8430101.exe
    Filesize

    206KB

    MD5

    d07e4ec995d8599d8769d21854fe1552

    SHA1

    61573cc9fac86744492765dc1177b77941eccaef

    SHA256

    3398fec28faf65520057f7254ca75e30d6850bbfb7ec234c1ec5453894e8dbac

    SHA512

    3e5718dedf7e881979b0591788a8e8a4a0abd8bbd89955723ead9a96f8380457ddffd86113ebedf467f444865ef83e25d506ab31a3605769bbfec810cc767501

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2580264.exe
    Filesize

    14KB

    MD5

    a738b9aed1ed61c92b9bfa697ee5d3c5

    SHA1

    71e3e4d30aea09682f3f091ae2d7d5349a9a2173

    SHA256

    6d7ab3bf87e145fa09dfaace9c25a6de23e962e2dac05ddeb1bc671bf737e2f8

    SHA512

    c38f4bad89a930eaaf515dd256026313bb8947de2fc576452fb3766865eb70205a38b9b60ed3c730c1421b0e0d8db231a88d84225813e8e1020c53f7075a03e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2580264.exe
    Filesize

    14KB

    MD5

    a738b9aed1ed61c92b9bfa697ee5d3c5

    SHA1

    71e3e4d30aea09682f3f091ae2d7d5349a9a2173

    SHA256

    6d7ab3bf87e145fa09dfaace9c25a6de23e962e2dac05ddeb1bc671bf737e2f8

    SHA512

    c38f4bad89a930eaaf515dd256026313bb8947de2fc576452fb3766865eb70205a38b9b60ed3c730c1421b0e0d8db231a88d84225813e8e1020c53f7075a03e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6601247.exe
    Filesize

    173KB

    MD5

    e39e4a8fa5bb7a9771f95b87cfdd7ff0

    SHA1

    0f0f39fbfb897aec2a19edd537f01b372285e6e7

    SHA256

    92b03a435bbe8e8e2cfaab8d2d607cc4b6352db1c1277998fb1348a9d468203e

    SHA512

    ca490f3c9f03adfe8bf9a8dabdcd000359d4e5a3fe6306d6d43889b4ad6b66f152d52095e164ea48b9fb8b28cc80fb616413900a0cf811a5f871095305906a01

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6601247.exe
    Filesize

    173KB

    MD5

    e39e4a8fa5bb7a9771f95b87cfdd7ff0

    SHA1

    0f0f39fbfb897aec2a19edd537f01b372285e6e7

    SHA256

    92b03a435bbe8e8e2cfaab8d2d607cc4b6352db1c1277998fb1348a9d468203e

    SHA512

    ca490f3c9f03adfe8bf9a8dabdcd000359d4e5a3fe6306d6d43889b4ad6b66f152d52095e164ea48b9fb8b28cc80fb616413900a0cf811a5f871095305906a01

    Download Submit

  • memory/864-157-0x00000000059D0000-0x0000000005FE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/864-155-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/864-156-0x0000000000A00000-0x0000000000A30000-memory.dmp

    Filesize

    192KB

    Download

  • memory/864-158-0x00000000054C0000-0x00000000055CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/864-159-0x0000000005380000-0x0000000005392000-memory.dmp

    Filesize

    72KB

    Download

  • memory/864-160-0x00000000053A0000-0x00000000053B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/864-161-0x00000000053F0000-0x000000000542C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/864-162-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/864-163-0x00000000053A0000-0x00000000053B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-151-0x00007FFCF01F0000-0x00007FFCF0CB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4956-149-0x00007FFCF01F0000-0x00007FFCF0CB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4956-148-0x00007FFCF01F0000-0x00007FFCF0CB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4956-147-0x00000000003A0000-0x00000000003AA000-memory.dmp

    Filesize

    40KB

    Download