Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675.exe

  • Size

    389KB

  • MD5

    073f84f40946716ae47ea59af7fc3979

  • SHA1

    f39ce1dd5b30a263986c6831bc7bf4b662b3ce5c

  • SHA256

    4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675

  • SHA512

    7a9758b20b794cac8a5a9e8dae5fb55f6cfb5b69e8ab5ab804088e67975436826746e5fe18473f56e4544bf148c35dc1a1029768bf3262e58372afbc7d9ca93a

  • SSDEEP

    6144:KGy+bnr+xp0yN90QESFxnVkONlvhYZbG7qMh+hn0E3+YIu5ly4RChw/:yMrFy90wSONcbG75w3+YNly2Chw/

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675.exe
    "C:\Users\Admin\AppData\Local\Temp\4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0401173.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0401173.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4607821.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4607821.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1698980.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1698980.exe
        3⤵
        • Executes dropped EXE
        PID:2976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0401173.exe
    Filesize

    206KB

    MD5

    4e23e3ed92f482907c31141926908a4f

    SHA1

    6a090640bedf02b74bb7dad0b75c380d444f73fc

    SHA256

    239a61d49eb6b626bd249926a1a3225d6005efe83cfbf21091cd381af22172d7

    SHA512

    273e0ad97c40f1f70375251e66ce7f33bf54ae6dc068fdb3156925f59433009a16835ea1e528ab1422c26952b3835f62aff4ef267749978ad0e7725133920e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0401173.exe
    Filesize

    206KB

    MD5

    4e23e3ed92f482907c31141926908a4f

    SHA1

    6a090640bedf02b74bb7dad0b75c380d444f73fc

    SHA256

    239a61d49eb6b626bd249926a1a3225d6005efe83cfbf21091cd381af22172d7

    SHA512

    273e0ad97c40f1f70375251e66ce7f33bf54ae6dc068fdb3156925f59433009a16835ea1e528ab1422c26952b3835f62aff4ef267749978ad0e7725133920e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4607821.exe
    Filesize

    14KB

    MD5

    24680878da0cdb572f04dee724eb6374

    SHA1

    e541d64aadaa8bbc00544fe62476886e15ffbe48

    SHA256

    1ec13c26ada790637e7432690f135d84911e69be30fffbc673c0e63e2c7d1c3f

    SHA512

    9196bb471e2a2eac844320afc95198af35c06d7c87dfd39779c69f1856fcec452c30dd61b1117eef825566cfee1e6f2b0962fed07fae269cd502263b008b5779

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p4607821.exe
    Filesize

    14KB

    MD5

    24680878da0cdb572f04dee724eb6374

    SHA1

    e541d64aadaa8bbc00544fe62476886e15ffbe48

    SHA256

    1ec13c26ada790637e7432690f135d84911e69be30fffbc673c0e63e2c7d1c3f

    SHA512

    9196bb471e2a2eac844320afc95198af35c06d7c87dfd39779c69f1856fcec452c30dd61b1117eef825566cfee1e6f2b0962fed07fae269cd502263b008b5779

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1698980.exe
    Filesize

    173KB

    MD5

    42d0dd8ee8b60ffcca10b682dccea2a2

    SHA1

    d6069d38777c71e088d5addc73f6cce3a4bc8bd6

    SHA256

    b0df05a1010f5da959d2539eb1014155e1859164aac2df73acd63a4990c97be4

    SHA512

    ef304513350ff736d53cbfd87973cacdfe7251edc94cf57f75bfcfa3bc73f63116cc8bd931e25fe9f75718f344667c8a36706bd0c179e0678423a9c50842aa92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1698980.exe
    Filesize

    173KB

    MD5

    42d0dd8ee8b60ffcca10b682dccea2a2

    SHA1

    d6069d38777c71e088d5addc73f6cce3a4bc8bd6

    SHA256

    b0df05a1010f5da959d2539eb1014155e1859164aac2df73acd63a4990c97be4

    SHA512

    ef304513350ff736d53cbfd87973cacdfe7251edc94cf57f75bfcfa3bc73f63116cc8bd931e25fe9f75718f344667c8a36706bd0c179e0678423a9c50842aa92

    Download Submit

  • memory/2976-157-0x00000000050C0000-0x00000000051CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2976-154-0x0000000000500000-0x0000000000530000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2976-155-0x0000000073CB0000-0x0000000074460000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2976-156-0x00000000055D0000-0x0000000005BE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2976-158-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2976-159-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2976-160-0x0000000005030000-0x000000000506C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2976-161-0x0000000073CB0000-0x0000000074460000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2976-162-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-150-0x00007FFEA2F00000-0x00007FFEA39C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-148-0x00007FFEA2F00000-0x00007FFEA39C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4256-147-0x0000000000610000-0x000000000061A000-memory.dmp

    Filesize

    40KB

    Download