Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
fcc1584f1926d09667e8eff1649a1270_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
fcc1584f1926d09667e8eff1649a1270_NEIKI.exe
-
Size
951KB
-
MD5
fcc1584f1926d09667e8eff1649a1270
-
SHA1
8fe04fe0d25147d13988f82fe75473f360f6f9c3
-
SHA256
02b90bc7cf5a91d558cd6cca8f15811367dcccbe0bb3b6bb91957492770540bd
-
SHA512
b8be0e54b98b89dddcaca6796367dbb44f2fb751f89ab8fd9557b20b464335147904518bb6a7f23dd44459f068c970e701042278a66dceadad22e6f5afedf3d4
-
SSDEEP
24576:9y1gi1jMHG/Vc5LsKBnCDUX8g+c+SiyhAzVMSIezuj:YOIjMzhnCDU8E+2hOJIeC
Malware Config
Extracted
redline
dark
185.161.248.73:4164
-
auth_value
ae85b01f66afe8770afeed560513fc2d
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/1624-2150-0x0000000005720000-0x000000000572A000-memory.dmp healer behavioral1/files/0x0004000000022ae0-2155.dat healer behavioral1/memory/5152-2163-0x0000000000250000-0x000000000025A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/5612-4319-0x0000000005750000-0x0000000005782000-memory.dmp family_redline behavioral1/files/0x0008000000023431-4324.dat family_redline behavioral1/memory/5240-4326-0x0000000000D90000-0x0000000000DC0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 78656478.exe -
Executes dropped EXE 5 IoCs
pid Process 4628 un300244.exe 1624 78656478.exe 5152 1.exe 5612 rk018675.exe 5240 si672927.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fcc1584f1926d09667e8eff1649a1270_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un300244.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5464 1624 WerFault.exe 83 3836 5612 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 5152 1.exe 5152 1.exe 5152 1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1624 78656478.exe Token: SeDebugPrivilege 5612 rk018675.exe Token: SeDebugPrivilege 5152 1.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3616 wrote to memory of 4628 3616 fcc1584f1926d09667e8eff1649a1270_NEIKI.exe 80 PID 3616 wrote to memory of 4628 3616 fcc1584f1926d09667e8eff1649a1270_NEIKI.exe 80 PID 3616 wrote to memory of 4628 3616 fcc1584f1926d09667e8eff1649a1270_NEIKI.exe 80 PID 4628 wrote to memory of 1624 4628 un300244.exe 83 PID 4628 wrote to memory of 1624 4628 un300244.exe 83 PID 4628 wrote to memory of 1624 4628 un300244.exe 83 PID 1624 wrote to memory of 5152 1624 78656478.exe 86 PID 1624 wrote to memory of 5152 1624 78656478.exe 86 PID 4628 wrote to memory of 5612 4628 un300244.exe 90 PID 4628 wrote to memory of 5612 4628 un300244.exe 90 PID 4628 wrote to memory of 5612 4628 un300244.exe 90 PID 3616 wrote to memory of 5240 3616 fcc1584f1926d09667e8eff1649a1270_NEIKI.exe 93 PID 3616 wrote to memory of 5240 3616 fcc1584f1926d09667e8eff1649a1270_NEIKI.exe 93 PID 3616 wrote to memory of 5240 3616 fcc1584f1926d09667e8eff1649a1270_NEIKI.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 13844⤵
- Program crash
PID:5464
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 12204⤵
- Program crash
PID:3836
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe2⤵
- Executes dropped EXE
PID:5240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1624 -ip 16241⤵PID:5396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5612 -ip 56121⤵PID:5764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD516cf18c8ef1d4be89b36e27c8fb88e9d
SHA17811ba84f75a1adc6d995c2c1121ec996d1cc003
SHA256116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8
SHA5124cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd
-
Filesize
798KB
MD596706b8b632ee3431c548020eb16d8ad
SHA11c4d60afd010924901313f05fbaa32ab0f19aed9
SHA25636d8836cae2cd11b6e2567501db76d02ce2342da657cc97928ede554b8a66066
SHA51243de98b07f08d220b5ca77fa2d6323f4aa17fbaee7f938328f8fb897d5ab1d34a4e06fcb990542716985326daf8706788030bba9bce00ca53d93b8a5b6848b69
-
Filesize
479KB
MD5be0d413153569192f050beb48b0a2572
SHA1909732a2eb3617bcc1af584a0a7ead26702d65c8
SHA2560e3f5f78f9534e5ee8085d78fb6f4e7a41adebb2fdd88b492534c25bf4d78d0b
SHA51296f8708783317f5d1098b9ec4be3c23c4c0715acd30c653447109819dc500a10a327d12c481cb19d5af69b34a9fc2f403cdd48d8a0dd7357086873ecbe18a88a
-
Filesize
539KB
MD593e278c689042dee812fcebfcbe6308b
SHA1f956bbd31ab7203af9174b25bea75ec6ebc92501
SHA256a3a28037241c25dbfb35c011279c7ab29dc89783f4da3a4d968b52d66a54e73a
SHA512a1de1cf64aafabc84746d12947936841276635132827e21500183adcfcdc25787658255612e14b9c430f3208a508c1b4374799b025f416724d9a1f9d45c46a85
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91