Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2023, 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5cfb406caf111410add0fc5168ba5a6b0b5be8792a6171bfa24ebd2bb3d1d2d.exe

  • Size

    389KB

  • MD5

    92922f2268e6beb0577a01a6a107c6ca

  • SHA1

    065604db5827a3331293fd4f8e7af339d92c45eb

  • SHA256

    e5cfb406caf111410add0fc5168ba5a6b0b5be8792a6171bfa24ebd2bb3d1d2d

  • SHA512

    16b7056113964b268ccd25f594990cb693562de93bde55e16c96348d4434f72aebb08664efd4ac2d9c41b67042f17203930df71cabf1d2da0b369faa5f30e23e

  • SSDEEP

    6144:K8y+bnr+rp0yN90QE/9stukWcnZNvPSBPHCJrSDtPEno9ipked7utF2:4Mr3y90rstiGrSDCh7MA

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5cfb406caf111410add0fc5168ba5a6b0b5be8792a6171bfa24ebd2bb3d1d2d.exe
    "C:\Users\Admin\AppData\Local\Temp\e5cfb406caf111410add0fc5168ba5a6b0b5be8792a6171bfa24ebd2bb3d1d2d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5785856.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5785856.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5639150.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5639150.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4433928.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4433928.exe
        3⤵
        • Executes dropped EXE
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5785856.exe
    Filesize

    206KB

    MD5

    6f38f4ddd1ee061819b85047e83e8a7e

    SHA1

    eb11af17e9db15c04c361d9a1d9587d04f56bacb

    SHA256

    c695b9115ceffd1bd0201f0d393dc46826bfa4e0a7055c82091d62232c2fd6e9

    SHA512

    909548787fde71c70b3aeab2b9055db07a011f4cb9031ebe6ea5913b86d48e5bf94a40ee824605b4881cf342b3cff117a7e97f35dfca369751e2ac40c05e4a59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5785856.exe
    Filesize

    206KB

    MD5

    6f38f4ddd1ee061819b85047e83e8a7e

    SHA1

    eb11af17e9db15c04c361d9a1d9587d04f56bacb

    SHA256

    c695b9115ceffd1bd0201f0d393dc46826bfa4e0a7055c82091d62232c2fd6e9

    SHA512

    909548787fde71c70b3aeab2b9055db07a011f4cb9031ebe6ea5913b86d48e5bf94a40ee824605b4881cf342b3cff117a7e97f35dfca369751e2ac40c05e4a59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5639150.exe
    Filesize

    15KB

    MD5

    e9094e75429498a719cd86fe51107c0b

    SHA1

    b3e2092a74dd7a793023d20b6ef0e3d267cf05fb

    SHA256

    75e4a2731ab3a1858610589115bce87bec2cd678a48999d8e0187b6222232697

    SHA512

    e9a99599657c4e42fc844d89b4d52f0c55587bac7b03a510001b15fdf1defcfd48a37b4704d692e47fed9ac815025efad84874b761b000059f13b75e11c51cdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5639150.exe
    Filesize

    15KB

    MD5

    e9094e75429498a719cd86fe51107c0b

    SHA1

    b3e2092a74dd7a793023d20b6ef0e3d267cf05fb

    SHA256

    75e4a2731ab3a1858610589115bce87bec2cd678a48999d8e0187b6222232697

    SHA512

    e9a99599657c4e42fc844d89b4d52f0c55587bac7b03a510001b15fdf1defcfd48a37b4704d692e47fed9ac815025efad84874b761b000059f13b75e11c51cdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4433928.exe
    Filesize

    174KB

    MD5

    5af78cc067bf331d2d1cb0f7cb196978

    SHA1

    bec1d3e698e3f6077b742c251a370f2735d3562c

    SHA256

    fd339956d4db2878dc35598c8a9b9971484afc6baa42035566ef57ecab678661

    SHA512

    736b9c47e16b96e2ec96adf7bba3eea6ff2ccab999e506b0c92989c75057424c2429fd30c539eea9f34800ceb88dcc96d437f4f4d21ccabe3c4b069f00e48f0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4433928.exe
    Filesize

    174KB

    MD5

    5af78cc067bf331d2d1cb0f7cb196978

    SHA1

    bec1d3e698e3f6077b742c251a370f2735d3562c

    SHA256

    fd339956d4db2878dc35598c8a9b9971484afc6baa42035566ef57ecab678661

    SHA512

    736b9c47e16b96e2ec96adf7bba3eea6ff2ccab999e506b0c92989c75057424c2429fd30c539eea9f34800ceb88dcc96d437f4f4d21ccabe3c4b069f00e48f0b

    Download Submit

  • memory/2200-157-0x0000000005150000-0x000000000525A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2200-154-0x0000000000580000-0x00000000005B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2200-155-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2200-156-0x0000000005660000-0x0000000005C78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2200-158-0x0000000005030000-0x0000000005040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2200-159-0x0000000005060000-0x0000000005072000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2200-160-0x00000000050C0000-0x00000000050FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2200-161-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2200-162-0x0000000005030000-0x0000000005040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4324-150-0x00007FF824DB0000-0x00007FF825871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4324-148-0x00007FF824DB0000-0x00007FF825871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4324-147-0x0000000000D90000-0x0000000000D9A000-memory.dmp

    Filesize

    40KB

    Download