Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-07-2023 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b30b630fda1f860877a95210200001a406a9a706d68b4dbc069ce69efa1b6721.exe

  • Size

    389KB

  • MD5

    db1285c69b32682a27f40ba7a828ca05

  • SHA1

    0754e5cd55eddc0bc8ed3d6708a963506d7c8858

  • SHA256

    b30b630fda1f860877a95210200001a406a9a706d68b4dbc069ce69efa1b6721

  • SHA512

    fce8c2f2f8a02f7925f71836c8dce97319e41504bf93814ee242a2619698a5689d0c66674c351bac7bdf6fafee5ef7da0f5683f4f56baa8816c8481c04c167f7

  • SSDEEP

    6144:Kxy+bnr+yp0yN90QE/rlZdfkWcnZNbeZj7tj5yflGHz+pfHWZO+/WQ+YRk9qXQPJ:rMrWy90PD7jOB/WZOhgAPZv

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b30b630fda1f860877a95210200001a406a9a706d68b4dbc069ce69efa1b6721.exe
    "C:\Users\Admin\AppData\Local\Temp\b30b630fda1f860877a95210200001a406a9a706d68b4dbc069ce69efa1b6721.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8527774.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8527774.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4710879.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4710879.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1493742.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1493742.exe
        3⤵
        • Executes dropped EXE
        PID:4960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8527774.exe
    Filesize

    206KB

    MD5

    0a92936789790ce73ad02900fd7ef397

    SHA1

    128b5794f978a2dcb5268b198f03d9988e92f214

    SHA256

    97d317ec497af7f914f6a6c06d44fb867c703c2af7b1bb61f6a1536351648600

    SHA512

    a1ac2fb0af17eeab445d61c6313473448d43ef0598c458b6dd99864cac2550834659c0be28e9ee8abd48e1dd2ab5a5ebbaa3fbdac0a4c0bb60948b78ff9c116b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8527774.exe
    Filesize

    206KB

    MD5

    0a92936789790ce73ad02900fd7ef397

    SHA1

    128b5794f978a2dcb5268b198f03d9988e92f214

    SHA256

    97d317ec497af7f914f6a6c06d44fb867c703c2af7b1bb61f6a1536351648600

    SHA512

    a1ac2fb0af17eeab445d61c6313473448d43ef0598c458b6dd99864cac2550834659c0be28e9ee8abd48e1dd2ab5a5ebbaa3fbdac0a4c0bb60948b78ff9c116b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4710879.exe
    Filesize

    14KB

    MD5

    194aa2bc612a4818bf604895bb0cb561

    SHA1

    70a7dbf0d24454348ad9da64be006cda914c7625

    SHA256

    f4a1e9a78ea957bd9e4a2c6d0eccca8af0d16c3671a2f1020c26e38fdeadb17c

    SHA512

    e0c7278a90d55c6fe6e1d139b5662795ae08b85347785ba592926eacd1032aee3660a13180617c37a83b1efb146e5c6b078d82f1650c53cce2b94a0ea616771c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4710879.exe
    Filesize

    14KB

    MD5

    194aa2bc612a4818bf604895bb0cb561

    SHA1

    70a7dbf0d24454348ad9da64be006cda914c7625

    SHA256

    f4a1e9a78ea957bd9e4a2c6d0eccca8af0d16c3671a2f1020c26e38fdeadb17c

    SHA512

    e0c7278a90d55c6fe6e1d139b5662795ae08b85347785ba592926eacd1032aee3660a13180617c37a83b1efb146e5c6b078d82f1650c53cce2b94a0ea616771c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1493742.exe
    Filesize

    173KB

    MD5

    1a71bf6f625555157bbbe9dd402f490e

    SHA1

    177c466fbff7ec6480d058869775dfd22bfda206

    SHA256

    1b1cb33e08db38930434b31e92369b95d96a77dbbadd4b375c92877cb19027ad

    SHA512

    020d2116045daeaa04d7c473e67e13595a8a87b5f112606634a31d85fd31d6fae8d913923dd80055e2da349c4196e5ea300b3a4406dd4b75f0f2664d95127102

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1493742.exe
    Filesize

    173KB

    MD5

    1a71bf6f625555157bbbe9dd402f490e

    SHA1

    177c466fbff7ec6480d058869775dfd22bfda206

    SHA256

    1b1cb33e08db38930434b31e92369b95d96a77dbbadd4b375c92877cb19027ad

    SHA512

    020d2116045daeaa04d7c473e67e13595a8a87b5f112606634a31d85fd31d6fae8d913923dd80055e2da349c4196e5ea300b3a4406dd4b75f0f2664d95127102

    Download Submit

  • memory/2532-134-0x0000000000310000-0x000000000031A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2532-137-0x00007FFAF3AB0000-0x00007FFAF449C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2532-135-0x00007FFAF3AB0000-0x00007FFAF449C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4960-141-0x0000000000430000-0x0000000000460000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4960-142-0x0000000072EE0000-0x00000000735CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4960-143-0x0000000002660000-0x0000000002666000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4960-144-0x000000000A7A0000-0x000000000ADA6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4960-145-0x000000000A2A0000-0x000000000A3AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4960-146-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4960-147-0x000000000A1D0000-0x000000000A20E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4960-148-0x000000000A220000-0x000000000A26B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4960-149-0x0000000072EE0000-0x00000000735CE000-memory.dmp

    Filesize

    6.9MB

    Download