Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2023 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73f35c3cfddd5d37e5f1eec9cce6463496a6ec727ac878378664a3f259538dcb.exe

  • Size

    1.1MB

  • MD5

    31732df5533c39d11d61a28327f3687f

  • SHA1

    d7bc0ea375a40fd61a4d60322add2c13427d1a88

  • SHA256

    73f35c3cfddd5d37e5f1eec9cce6463496a6ec727ac878378664a3f259538dcb

  • SHA512

    36538e9ddd21783d1105bd9f9fdb9ea88c18fc5eae4017b1954a31a3c2c7da35a594988262f8284ab0c9c03813d6f11c22e403f1a99e78f808dad4ee7b505977

  • SSDEEP

    24576:pyIaevTrbjeWezq/ysxQlmXd+V7adpGE6x0:c6vbjegTxQ0Xc7q6

Score
10/10
healerredlinebubendropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes
  • auth_value

    c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73f35c3cfddd5d37e5f1eec9cce6463496a6ec727ac878378664a3f259538dcb.exe
    "C:\Users\Admin\AppData\Local\Temp\73f35c3cfddd5d37e5f1eec9cce6463496a6ec727ac878378664a3f259538dcb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3063719.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3063719.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8700912.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8700912.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0191892.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0191892.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3188
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3759550.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3759550.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3592
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 148
              6⤵
              • Program crash
              PID:2816
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8295458.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8295458.exe
            5⤵
            • Executes dropped EXE
            PID:2136
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2748 -ip 2748
    1⤵
      PID:4140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3063719.exe
      Filesize

      1021KB

      MD5

      2fe326660701f1eef4dfed5351f6e33a

      SHA1

      e81f2b75c21aa1d61cf7892acb0bec1d63a808a2

      SHA256

      d6f2bc4b510ce06decbf1a464203d3dc6bfdda19ed5284013a8b5d621ecef0bb

      SHA512

      195401babeeb81a3ac4225fbc3eee72d0518294a26bc35e47a23d1bd3adc15c296f98c87f2d1782985c22d08ced0638d92a206b2b0c6d487d9608eede0845d97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3063719.exe
      Filesize

      1021KB

      MD5

      2fe326660701f1eef4dfed5351f6e33a

      SHA1

      e81f2b75c21aa1d61cf7892acb0bec1d63a808a2

      SHA256

      d6f2bc4b510ce06decbf1a464203d3dc6bfdda19ed5284013a8b5d621ecef0bb

      SHA512

      195401babeeb81a3ac4225fbc3eee72d0518294a26bc35e47a23d1bd3adc15c296f98c87f2d1782985c22d08ced0638d92a206b2b0c6d487d9608eede0845d97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8700912.exe
      Filesize

      628KB

      MD5

      da4ad0d3bea292e12a14b49b317a3799

      SHA1

      9deab3a41166231277c4fadf4b0386e616e716a8

      SHA256

      c6cc4f5d49e43bd7ea8f39969e4adae2df0f26b0a34cc3bedef3b4926f929bc2

      SHA512

      5ab084934c8c471770b7457c63877721935101a2fab71d44501e7f33bfcbf55bbc6c1b4ef9297da8bc601b7d345f4500d707ff73c4a049ae5977ae4945b5c11e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8700912.exe
      Filesize

      628KB

      MD5

      da4ad0d3bea292e12a14b49b317a3799

      SHA1

      9deab3a41166231277c4fadf4b0386e616e716a8

      SHA256

      c6cc4f5d49e43bd7ea8f39969e4adae2df0f26b0a34cc3bedef3b4926f929bc2

      SHA512

      5ab084934c8c471770b7457c63877721935101a2fab71d44501e7f33bfcbf55bbc6c1b4ef9297da8bc601b7d345f4500d707ff73c4a049ae5977ae4945b5c11e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0191892.exe
      Filesize

      443KB

      MD5

      09982b5c236e60ace48abed07de24e46

      SHA1

      dd8ccbe423c3d5bd350ad951739c4bdb5ddbeb1a

      SHA256

      62171d2c370c03ee7f4d050ef1e5e860873dc4badb6f6dfdfa5061c938874456

      SHA512

      4408a28d21da8263a7b3c54f8935d852288951ce6864804f7640eb4285700df23e96f728c80be08b3964776740427b4422232646b011eca498f7621f9e78e934

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0191892.exe
      Filesize

      443KB

      MD5

      09982b5c236e60ace48abed07de24e46

      SHA1

      dd8ccbe423c3d5bd350ad951739c4bdb5ddbeb1a

      SHA256

      62171d2c370c03ee7f4d050ef1e5e860873dc4badb6f6dfdfa5061c938874456

      SHA512

      4408a28d21da8263a7b3c54f8935d852288951ce6864804f7640eb4285700df23e96f728c80be08b3964776740427b4422232646b011eca498f7621f9e78e934

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3759550.exe
      Filesize

      861KB

      MD5

      e8360ed0793ed07cf419d9cc3550bf68

      SHA1

      1db3acc7d7ad0d07ae792555b57e01d13d3927ab

      SHA256

      0ff3b290d8369daf1a38c3cb2e80d74ca2726e007b6e9bd89ab05cf1a15478c1

      SHA512

      39b41a074c041b8b1340b9784700d26dfdb3384ee2ea68e22496c9a91f8fc25709e90159ebf622ed00474a2fbcac3c4c53f126ee7cdf86dfa467cf747fca8660

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3759550.exe
      Filesize

      861KB

      MD5

      e8360ed0793ed07cf419d9cc3550bf68

      SHA1

      1db3acc7d7ad0d07ae792555b57e01d13d3927ab

      SHA256

      0ff3b290d8369daf1a38c3cb2e80d74ca2726e007b6e9bd89ab05cf1a15478c1

      SHA512

      39b41a074c041b8b1340b9784700d26dfdb3384ee2ea68e22496c9a91f8fc25709e90159ebf622ed00474a2fbcac3c4c53f126ee7cdf86dfa467cf747fca8660

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8295458.exe
      Filesize

      174KB

      MD5

      aebc7946952d980a05c52b3433ffc67b

      SHA1

      d5aecb9b0caffc216d34dfaa3dc5e3a3c203b051

      SHA256

      057f64ae8ea6a9ac2d0f81f668905d3475aa3234d80669dd7463d77ea2f3d930

      SHA512

      efc45eb788cb3e7f618d8e2890f7edd04044d484999ebc726d208e758433f609ccd2a0a00c332c71b642c367cbc8fe9194f4c362d895237b8526b6e09811f461

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8295458.exe
      Filesize

      174KB

      MD5

      aebc7946952d980a05c52b3433ffc67b

      SHA1

      d5aecb9b0caffc216d34dfaa3dc5e3a3c203b051

      SHA256

      057f64ae8ea6a9ac2d0f81f668905d3475aa3234d80669dd7463d77ea2f3d930

      SHA512

      efc45eb788cb3e7f618d8e2890f7edd04044d484999ebc726d208e758433f609ccd2a0a00c332c71b642c367cbc8fe9194f4c362d895237b8526b6e09811f461

      Download Submit

    • memory/2136-33-0x0000000000120000-0x0000000000150000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2136-39-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2136-46-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2136-34-0x0000000073E30000-0x00000000745E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2136-35-0x0000000004A40000-0x0000000004A46000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2136-36-0x0000000005200000-0x0000000005818000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2136-37-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2136-45-0x0000000073E30000-0x00000000745E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2136-38-0x0000000004C00000-0x0000000004C12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2136-40-0x0000000004C60000-0x0000000004C9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2136-41-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3592-42-0x0000000073E30000-0x00000000745E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3592-44-0x0000000073E30000-0x00000000745E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3592-29-0x0000000073E30000-0x00000000745E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3592-28-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download