Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 11:00
Static task
static1
Behavioral task
behavioral1
Sample
73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe
-
Size
1.1MB
-
MD5
73d68c52c799495637a7ea3b3b4a9b20
-
SHA1
18f886fb80bf064caeb4b135d52740ecdba6b1ee
-
SHA256
0655d16e9a5566cd065f65ab31cab51ac2dea2c4201b967bf4438fe8c7d75e8a
-
SHA512
02f2eb77559863b2f9149492063bc022ed5dbca6c0cb38532dd395bb5579adbd41293494831c048d7aa9c439006fd52e9c55ec370b9c12cfba0c94219b609a1d
-
SSDEEP
24576:6yjnsO3+2f1tMMHM+WUHtmtkE3bZPPToxYTscRh556zsyC6:BrsO3+2f1txJTmtJZPPToKTzRU9C
Malware Config
Extracted
amadey
3.80
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Detect ZGRat V1 6 IoCs
resource yara_rule behavioral1/memory/932-112-0x0000000004A20000-0x0000000004A5C000-memory.dmp family_zgrat_v1 behavioral1/memory/932-113-0x0000000005050000-0x000000000508A000-memory.dmp family_zgrat_v1 behavioral1/memory/932-114-0x0000000005050000-0x0000000005085000-memory.dmp family_zgrat_v1 behavioral1/memory/932-119-0x0000000005050000-0x0000000005085000-memory.dmp family_zgrat_v1 behavioral1/memory/932-117-0x0000000005050000-0x0000000005085000-memory.dmp family_zgrat_v1 behavioral1/memory/932-115-0x0000000005050000-0x0000000005085000-memory.dmp family_zgrat_v1 -
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/5080-28-0x0000000002050000-0x000000000206A000-memory.dmp healer behavioral1/memory/5080-30-0x0000000002430000-0x0000000002448000-memory.dmp healer behavioral1/memory/5080-31-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-52-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-58-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-56-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-54-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-50-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-46-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-44-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-42-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-40-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-38-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-36-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-34-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-32-0x0000000002430000-0x0000000002443000-memory.dmp healer behavioral1/memory/5080-48-0x0000000002430000-0x0000000002443000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 257341906.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 257341906.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 257341906.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 257341906.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 257341906.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/memory/932-112-0x0000000004A20000-0x0000000004A5C000-memory.dmp family_redline behavioral1/memory/932-113-0x0000000005050000-0x000000000508A000-memory.dmp family_redline behavioral1/memory/932-114-0x0000000005050000-0x0000000005085000-memory.dmp family_redline behavioral1/memory/932-119-0x0000000005050000-0x0000000005085000-memory.dmp family_redline behavioral1/memory/932-117-0x0000000005050000-0x0000000005085000-memory.dmp family_redline behavioral1/memory/932-115-0x0000000005050000-0x0000000005085000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 326468569.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 10 IoCs
pid Process 5040 CH988882.exe 4648 yf412220.exe 2164 fn668898.exe 5080 144105729.exe 3556 257341906.exe 3324 326468569.exe 748 oneetx.exe 932 404469749.exe 5756 oneetx.exe 5144 oneetx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 144105729.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 257341906.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" CH988882.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" yf412220.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" fn668898.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2584 3556 WerFault.exe 97 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5080 144105729.exe 5080 144105729.exe 3556 257341906.exe 3556 257341906.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5080 144105729.exe Token: SeDebugPrivilege 3556 257341906.exe Token: SeDebugPrivilege 932 404469749.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4660 wrote to memory of 5040 4660 73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe 83 PID 4660 wrote to memory of 5040 4660 73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe 83 PID 4660 wrote to memory of 5040 4660 73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe 83 PID 5040 wrote to memory of 4648 5040 CH988882.exe 84 PID 5040 wrote to memory of 4648 5040 CH988882.exe 84 PID 5040 wrote to memory of 4648 5040 CH988882.exe 84 PID 4648 wrote to memory of 2164 4648 yf412220.exe 85 PID 4648 wrote to memory of 2164 4648 yf412220.exe 85 PID 4648 wrote to memory of 2164 4648 yf412220.exe 85 PID 2164 wrote to memory of 5080 2164 fn668898.exe 86 PID 2164 wrote to memory of 5080 2164 fn668898.exe 86 PID 2164 wrote to memory of 5080 2164 fn668898.exe 86 PID 2164 wrote to memory of 3556 2164 fn668898.exe 97 PID 2164 wrote to memory of 3556 2164 fn668898.exe 97 PID 2164 wrote to memory of 3556 2164 fn668898.exe 97 PID 4648 wrote to memory of 3324 4648 yf412220.exe 101 PID 4648 wrote to memory of 3324 4648 yf412220.exe 101 PID 4648 wrote to memory of 3324 4648 yf412220.exe 101 PID 3324 wrote to memory of 748 3324 326468569.exe 102 PID 3324 wrote to memory of 748 3324 326468569.exe 102 PID 3324 wrote to memory of 748 3324 326468569.exe 102 PID 5040 wrote to memory of 932 5040 CH988882.exe 103 PID 5040 wrote to memory of 932 5040 CH988882.exe 103 PID 5040 wrote to memory of 932 5040 CH988882.exe 103 PID 748 wrote to memory of 3636 748 oneetx.exe 104 PID 748 wrote to memory of 3636 748 oneetx.exe 104 PID 748 wrote to memory of 3636 748 oneetx.exe 104 PID 748 wrote to memory of 2976 748 oneetx.exe 106 PID 748 wrote to memory of 2976 748 oneetx.exe 106 PID 748 wrote to memory of 2976 748 oneetx.exe 106 PID 2976 wrote to memory of 3748 2976 cmd.exe 108 PID 2976 wrote to memory of 3748 2976 cmd.exe 108 PID 2976 wrote to memory of 3748 2976 cmd.exe 108 PID 2976 wrote to memory of 4164 2976 cmd.exe 109 PID 2976 wrote to memory of 4164 2976 cmd.exe 109 PID 2976 wrote to memory of 4164 2976 cmd.exe 109 PID 2976 wrote to memory of 3444 2976 cmd.exe 110 PID 2976 wrote to memory of 3444 2976 cmd.exe 110 PID 2976 wrote to memory of 3444 2976 cmd.exe 110 PID 2976 wrote to memory of 3532 2976 cmd.exe 111 PID 2976 wrote to memory of 3532 2976 cmd.exe 111 PID 2976 wrote to memory of 3532 2976 cmd.exe 111 PID 2976 wrote to memory of 4476 2976 cmd.exe 112 PID 2976 wrote to memory of 4476 2976 cmd.exe 112 PID 2976 wrote to memory of 4476 2976 cmd.exe 112 PID 2976 wrote to memory of 2236 2976 cmd.exe 113 PID 2976 wrote to memory of 2236 2976 cmd.exe 113 PID 2976 wrote to memory of 2236 2976 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 10206⤵
- Program crash
PID:2584
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- Creates scheduled task(s)
PID:3636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3748
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵PID:4164
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵PID:3444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3532
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵PID:4476
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵PID:2236
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3556 -ip 35561⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:5756
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:5144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD5dfe434a69f2348ebf90b85c207c02ef8
SHA19b12b8825afc0e37f0bad0f22f8f0de317d9e247
SHA256c95e9f67bc68689910dc07b3ed80d0cd23c2a65adcc865a5482789b44a851023
SHA5121911e79174058bc2e6b2ae409ca238cf9f5603a04b49a8cf294706a7bb310ab63d2b2f649d41f0fd1caec88b9f983923cf31fa6b1ce441f6082bb988844ffbaa
-
Filesize
342KB
MD5c7f65640e61c71e4258fbc5b9992d3a2
SHA1c6bbdd037abcb025def5ffb9dc9f941b7e13fa98
SHA256dd565a1874687e6232cffc7cd91b8e230bbc01db92948687f54094023daaee66
SHA5123178ba3584a7205844befb2b828b30bf7d971aaaed84915713a9cc3adc392b0f7aec4ea7df7be68aa87793ea1548ba64fd1a2d547b6e9c9545286a81013e1192
-
Filesize
586KB
MD5b9caa9de272c1785c900a5735bebea09
SHA100a49290df5123d222a6390033d0c8ea13d01344
SHA256126968089982cace9207987f9a1dcf85cb09f830b0f3e22fca99195de7bd3dfe
SHA512fde2b945dcd99b0d4f9cc55a8ba61a290310b47d69ab8a3071b0369dcfd9cff4c7a9f4f24320fe68301530c7f33e23a6bccefbe30efd24a38fc103bb56455462
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
414KB
MD5c15bdaf4b089ace62138eb9c3fa2e9b5
SHA14c6fd1ad3245063b34e01e0346f572ae37caeae9
SHA25680e4f8805a09874cb112214f2fe585471e228071f89178e7b37227b8db2b0e79
SHA512b474220096c242ef5201a5043feb7f7870a800fa9fc1d3156efddaebaa1f66a142767343a27b90f313deef8682bc7d7b7e63210f0442961db3a272085383502b
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
259KB
MD58527975d775cb7bad819b513e23cc188
SHA145cefaee9740f544108e1bc0abd0ee6d6a347912
SHA256a4a924435ec820400a5a9afd180d6423c1d54481d764f9b0d85eae90ce26edfd
SHA5124204ec5386e1b7f2292026cb82f70dde7ab27bbe97037897f18fb13b285f381649b017181a5b928708c023bdfb17ea6e5f7ddb1b87918f959210c595266d26b9