Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2023, 14:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b7d32dd66507f98e67e516220048ce3e47cbb10af251b92ca19db22a85ab667b.exe

  • Size

    389KB

  • MD5

    8a0f4289b99fb33def3140c849321cdd

  • SHA1

    48ce800243b80391979c1efbf4a2e30b5bf04331

  • SHA256

    b7d32dd66507f98e67e516220048ce3e47cbb10af251b92ca19db22a85ab667b

  • SHA512

    3c489c6560eb56f797565e21a45df81daabe2e96d3d3847cf503068430e43c8942484d7f34e3a06932dc024b7fefeca14a13de37645f38078dc5d43f89cbae1a

  • SSDEEP

    6144:KHy+bnr+Vp0yN90QEmjAlrUolD7dxXMuiGVHyjZhOZTpC/ZwglZQ5Gfh45639X:NMrNy90YACoHxcpyH8ruT+vZC639X

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7d32dd66507f98e67e516220048ce3e47cbb10af251b92ca19db22a85ab667b.exe
    "C:\Users\Admin\AppData\Local\Temp\b7d32dd66507f98e67e516220048ce3e47cbb10af251b92ca19db22a85ab667b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4607495.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4607495.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2930872.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2930872.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2975905.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2975905.exe
        3⤵
        • Executes dropped EXE
        PID:2840
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:112

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4607495.exe
          Filesize

          206KB

          MD5

          bf383e9a76d71a62d67d160f8fa32736

          SHA1

          82fccf39a682e2e886e391aadbfe18ece416e96f

          SHA256

          9fd26aeb608850d590d6cdcc331b818a38fef6aed4ef3d0c5208269b61ac3f11

          SHA512

          14fd709a9a08b0a79d7bf41bf7447988d7aed56dfd78e01d44e56660617e17c70a645df04e70cd02d64606d10c74ebe88d82e905296026436873b5a0bdc7ff39

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4607495.exe
          Filesize

          206KB

          MD5

          bf383e9a76d71a62d67d160f8fa32736

          SHA1

          82fccf39a682e2e886e391aadbfe18ece416e96f

          SHA256

          9fd26aeb608850d590d6cdcc331b818a38fef6aed4ef3d0c5208269b61ac3f11

          SHA512

          14fd709a9a08b0a79d7bf41bf7447988d7aed56dfd78e01d44e56660617e17c70a645df04e70cd02d64606d10c74ebe88d82e905296026436873b5a0bdc7ff39

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2930872.exe
          Filesize

          15KB

          MD5

          29720c95922396b5de277a0ef0490e2c

          SHA1

          45085fc978beb18eb2c5c5c11c03c4bffc969f0d

          SHA256

          54c68039fa0bc5d0fccbf8f2f80aaaf1b52946d8e66fbf3b31cb5572a4fdce5f

          SHA512

          7055d72d814fa7233d93b23b32a0574d351dc746bc3fc05e525ec82992b14514f919fd1b9c8a50d069e4622395c9b380b690a34e68d96c24a93e3d8379c82074

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2930872.exe
          Filesize

          15KB

          MD5

          29720c95922396b5de277a0ef0490e2c

          SHA1

          45085fc978beb18eb2c5c5c11c03c4bffc969f0d

          SHA256

          54c68039fa0bc5d0fccbf8f2f80aaaf1b52946d8e66fbf3b31cb5572a4fdce5f

          SHA512

          7055d72d814fa7233d93b23b32a0574d351dc746bc3fc05e525ec82992b14514f919fd1b9c8a50d069e4622395c9b380b690a34e68d96c24a93e3d8379c82074

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2975905.exe
          Filesize

          174KB

          MD5

          c29e8532175c0991e7022ff4ef3f15c2

          SHA1

          9b2bac731a7a698113c2ad82d50321f256de97e4

          SHA256

          a8a73973c98920fcb4db2d019dd3c9eecb798a12797ca47c2d30d076c67d7776

          SHA512

          6a81e304ba105d758b012b3f2cadc418bea4d02f0c1322acba3d4257cb74fd71be7ebe903159f941f2f35315af1c32c7b05be79989da35552ca7e52bcc023049

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2975905.exe
          Filesize

          174KB

          MD5

          c29e8532175c0991e7022ff4ef3f15c2

          SHA1

          9b2bac731a7a698113c2ad82d50321f256de97e4

          SHA256

          a8a73973c98920fcb4db2d019dd3c9eecb798a12797ca47c2d30d076c67d7776

          SHA512

          6a81e304ba105d758b012b3f2cadc418bea4d02f0c1322acba3d4257cb74fd71be7ebe903159f941f2f35315af1c32c7b05be79989da35552ca7e52bcc023049

          Download Submit

        • memory/2840-157-0x000000000A2A0000-0x000000000A3AA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2840-155-0x0000000073FE0000-0x0000000074790000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2840-154-0x0000000000430000-0x0000000000460000-memory.dmp

          Filesize

          192KB

          Download

        • memory/2840-156-0x000000000A740000-0x000000000AD58000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2840-159-0x0000000004D90000-0x0000000004DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2840-158-0x000000000A1E0000-0x000000000A1F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2840-160-0x000000000A240000-0x000000000A27C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2840-161-0x0000000073FE0000-0x0000000074790000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2840-162-0x0000000004D90000-0x0000000004DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3180-150-0x00007FFED34E0000-0x00007FFED3FA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3180-148-0x00007FFED34E0000-0x00007FFED3FA1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3180-147-0x0000000000140000-0x000000000014A000-memory.dmp

          Filesize

          40KB

          Download