Overview

overview

10

Static

static

3

24113d3ed2...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe

  • Size

    307KB

  • MD5

    24113d3ed2dc8ba8789b2874addb0750

  • SHA1

    2901dff1dd1b5b619d48c8d04d22c185922e651b

  • SHA256

    94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae

  • SHA512

    409754870b1cf18269d84a798f69e11cb54540d12217fc0674524ef0e3d42ce38d199d45b7e1b7cb96a70fff87704561b6208bb58bc2628881b9a3d7422aecc7

  • SSDEEP

    6144:Kxy+bnr++p0yN90QEA5F5OYc1u31g4TBylzQbR/JOF:HMriy90mxc1u31TTEtQb1JOF

Score
10/10
healerredlinedropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4892
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
      2⤵
      • Executes dropped EXE
      PID:4312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe
    Filesize

    175KB

    MD5

    a488df49a762065f75f41ee76c2215b4

    SHA1

    6ffd0bf006ca60251cf8b298891d317693885fe9

    SHA256

    cf8fd74e3f74fb3dafb881e7070287a7ad77296cbaab59a0b8968de37365c0d3

    SHA512

    5480aa133771076a21c984512f42a9020b012f7735960b05de7908f7bc13a8944bfcdaa4a28415ac6395e4f86e96c29251dbae9284917ce7e23eb623a79477f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe
    Filesize

    136KB

    MD5

    ea7424a74eacf1d89358ccbde8484098

    SHA1

    d66cac767a565053916ba6604ca5272d2d0e17aa

    SHA256

    ed28be548a5ca5d75c2bf5ec47ba896d4f4e6916abee3cf04dca41d9fd87249a

    SHA512

    c50b3c66646a429830eb4c90fff4bacf764c9cc4ced25f1b854b3d77a1a27e9aebc6d1c28330062e4bc2adc0a603bc75a5fe4be6d7a64449a7664f8d2ffb70fc

    Download Submit

  • memory/4312-54-0x0000000073C70000-0x0000000073D1B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4312-53-0x0000000001660000-0x00000000016AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4312-52-0x0000000007CA0000-0x0000000007CDC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4312-51-0x0000000073C70000-0x0000000073D1B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4312-50-0x0000000007D30000-0x0000000007E3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4312-49-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4312-48-0x0000000008170000-0x0000000008788000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4312-47-0x0000000073C70000-0x0000000073D1B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/4312-46-0x0000000000EA0000-0x0000000000EC8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4892-29-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-42-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4892-15-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-13-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-12-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-37-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-35-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-33-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-27-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-21-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-17-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-19-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-23-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-25-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-40-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4892-31-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-39-0x0000000002520000-0x0000000002532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4892-11-0x0000000002520000-0x0000000002538000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4892-9-0x0000000073CC0000-0x0000000074470000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4892-10-0x0000000004B00000-0x00000000050A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4892-8-0x00000000007E0000-0x00000000007FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4892-7-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download