Malware Analysis Report

2024-10-16 03:43

Sample ID 240508-j5j8eade68
Target 24113d3ed2dc8ba8789b2874addb0750_NEIKI
SHA256 94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae
Tags
healer redline dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae

Threat Level: Known bad

The file 24113d3ed2dc8ba8789b2874addb0750_NEIKI was found to be: Known bad.

Malicious Activity Summary

healer redline dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 08:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 08:15

Reported

2024-05-08 08:17

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\24113d3ed2dc8ba8789b2874addb0750_NEIKI.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8916177.exe

MD5 a488df49a762065f75f41ee76c2215b4
SHA1 6ffd0bf006ca60251cf8b298891d317693885fe9
SHA256 cf8fd74e3f74fb3dafb881e7070287a7ad77296cbaab59a0b8968de37365c0d3
SHA512 5480aa133771076a21c984512f42a9020b012f7735960b05de7908f7bc13a8944bfcdaa4a28415ac6395e4f86e96c29251dbae9284917ce7e23eb623a79477f3

memory/4892-7-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/4892-8-0x00000000007E0000-0x00000000007FA000-memory.dmp

memory/4892-10-0x0000000004B00000-0x00000000050A4000-memory.dmp

memory/4892-9-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4892-11-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4892-39-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-31-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-29-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-40-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4892-25-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-23-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-19-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-15-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-13-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-12-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-37-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-35-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-33-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-27-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-21-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-17-0x0000000002520000-0x0000000002532000-memory.dmp

memory/4892-42-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7529087.exe

MD5 ea7424a74eacf1d89358ccbde8484098
SHA1 d66cac767a565053916ba6604ca5272d2d0e17aa
SHA256 ed28be548a5ca5d75c2bf5ec47ba896d4f4e6916abee3cf04dca41d9fd87249a
SHA512 c50b3c66646a429830eb4c90fff4bacf764c9cc4ced25f1b854b3d77a1a27e9aebc6d1c28330062e4bc2adc0a603bc75a5fe4be6d7a64449a7664f8d2ffb70fc

memory/4312-46-0x0000000000EA0000-0x0000000000EC8000-memory.dmp

memory/4312-47-0x0000000073C70000-0x0000000073D1B000-memory.dmp

memory/4312-48-0x0000000008170000-0x0000000008788000-memory.dmp

memory/4312-49-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

memory/4312-50-0x0000000007D30000-0x0000000007E3A000-memory.dmp

memory/4312-51-0x0000000073C70000-0x0000000073D1B000-memory.dmp

memory/4312-52-0x0000000007CA0000-0x0000000007CDC000-memory.dmp

memory/4312-53-0x0000000001660000-0x00000000016AC000-memory.dmp

memory/4312-54-0x0000000073C70000-0x0000000073D1B000-memory.dmp