Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cd8d79f382743c1f225c33e26ca87ce3e02be794f81bc27a2a4246ad9fac15d.exe

  • Size

    389KB

  • MD5

    5852ce6173659b93ffb645ae359eeffa

  • SHA1

    2d19da873f236f6a95b15340995dd71e9780e8a1

  • SHA256

    8cd8d79f382743c1f225c33e26ca87ce3e02be794f81bc27a2a4246ad9fac15d

  • SHA512

    03810e7023435b96d36608b00ebe94290a2fd43c3b78059186b20d36ebe7e773779d57c24759be587ead49696259ebe6d0e08f6e2e34310e6d6a2cfdace67bb2

  • SSDEEP

    6144:KDy+bnr+Ip0yN90QEFXUyhWbmhXparmS24wcHgeGm4GtOnz9OX:lMrAy90vXVFh1pWOzcX

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cd8d79f382743c1f225c33e26ca87ce3e02be794f81bc27a2a4246ad9fac15d.exe
    "C:\Users\Admin\AppData\Local\Temp\8cd8d79f382743c1f225c33e26ca87ce3e02be794f81bc27a2a4246ad9fac15d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5175182.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5175182.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5200068.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5200068.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2662669.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2662669.exe
        3⤵
        • Executes dropped EXE
        PID:5000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5175182.exe
    Filesize

    206KB

    MD5

    6a5c2ac15220205aab9f6ff76d246913

    SHA1

    5d8ddfdee8b705e8b1f4025eaff1aaa7e96405ea

    SHA256

    252aa130a8bea105e6a6f714e42d2c6ab49630e2d6c00293a9d22574aeb51df6

    SHA512

    54018614f3c09899c52d4bc3ef038d5df9fd3fdac25cdbfbe38924515890545f2ee1e149589f65584106f123ca27cf3c6b1ee2da944a9d313bddbbf1226fb802

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5175182.exe
    Filesize

    206KB

    MD5

    6a5c2ac15220205aab9f6ff76d246913

    SHA1

    5d8ddfdee8b705e8b1f4025eaff1aaa7e96405ea

    SHA256

    252aa130a8bea105e6a6f714e42d2c6ab49630e2d6c00293a9d22574aeb51df6

    SHA512

    54018614f3c09899c52d4bc3ef038d5df9fd3fdac25cdbfbe38924515890545f2ee1e149589f65584106f123ca27cf3c6b1ee2da944a9d313bddbbf1226fb802

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5200068.exe
    Filesize

    15KB

    MD5

    5def9eecaa204f613f22ee01ea28c840

    SHA1

    b70edb04bec15813304e3117358085ec56016c1f

    SHA256

    5bbe4e1cae2d894bb6d05a272da690d3e7300398df6704dc60059ecb24840e66

    SHA512

    87945b1c788fb61b6cfa7ae659281527d4c7223fdb42338fc9601f7e9f9947b2996d54f76c77bca3afae50cc9697226aed6097b597c23ad36240f986ab6ab528

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5200068.exe
    Filesize

    15KB

    MD5

    5def9eecaa204f613f22ee01ea28c840

    SHA1

    b70edb04bec15813304e3117358085ec56016c1f

    SHA256

    5bbe4e1cae2d894bb6d05a272da690d3e7300398df6704dc60059ecb24840e66

    SHA512

    87945b1c788fb61b6cfa7ae659281527d4c7223fdb42338fc9601f7e9f9947b2996d54f76c77bca3afae50cc9697226aed6097b597c23ad36240f986ab6ab528

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2662669.exe
    Filesize

    175KB

    MD5

    051e2b6071d0f3d9c9ddccacb3152a10

    SHA1

    82813a087108a606dfac35f9309b45362adc890d

    SHA256

    1edb380fb15797b25ff1d6cc631dade15d6cba075e4291c1df3d943e7f10c144

    SHA512

    840aeba121f73d1f07aa21fb8737e42333879a09ca390670c45822361a3a00e12a1bf35a368718f6956c66ef3db10fb40f2ede438ade3928ac4c253cc94cda42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2662669.exe
    Filesize

    175KB

    MD5

    051e2b6071d0f3d9c9ddccacb3152a10

    SHA1

    82813a087108a606dfac35f9309b45362adc890d

    SHA256

    1edb380fb15797b25ff1d6cc631dade15d6cba075e4291c1df3d943e7f10c144

    SHA512

    840aeba121f73d1f07aa21fb8737e42333879a09ca390670c45822361a3a00e12a1bf35a368718f6956c66ef3db10fb40f2ede438ade3928ac4c253cc94cda42

    Download Submit

  • memory/4496-147-0x0000000000730000-0x000000000073A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4496-150-0x00007FFCE5B60000-0x00007FFCE6621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4496-148-0x00007FFCE5B60000-0x00007FFCE6621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5000-154-0x0000000074360000-0x0000000074B10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5000-155-0x0000000000A50000-0x0000000000A80000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5000-156-0x000000000ADF0000-0x000000000B408000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5000-157-0x000000000A8E0000-0x000000000A9EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5000-159-0x0000000005340000-0x0000000005350000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-158-0x000000000A800000-0x000000000A812000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5000-160-0x000000000A860000-0x000000000A89C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5000-161-0x0000000074360000-0x0000000074B10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5000-162-0x0000000005340000-0x0000000005350000-memory.dmp

    Filesize

    64KB

    Download