Analysis Overview
SHA256
02b90bc7cf5a91d558cd6cca8f15811367dcccbe0bb3b6bb91957492770540bd
Threat Level: Known bad
The file fcc1584f1926d09667e8eff1649a1270_NEIKI was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Checks computer location settings
Windows security modification
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 16:00
Reported
2024-05-08 16:03
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1624 -ip 1624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1384
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5612 -ip 5612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1220
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe
| MD5 | 96706b8b632ee3431c548020eb16d8ad |
| SHA1 | 1c4d60afd010924901313f05fbaa32ab0f19aed9 |
| SHA256 | 36d8836cae2cd11b6e2567501db76d02ce2342da657cc97928ede554b8a66066 |
| SHA512 | 43de98b07f08d220b5ca77fa2d6323f4aa17fbaee7f938328f8fb897d5ab1d34a4e06fcb990542716985326daf8706788030bba9bce00ca53d93b8a5b6848b69 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe
| MD5 | be0d413153569192f050beb48b0a2572 |
| SHA1 | 909732a2eb3617bcc1af584a0a7ead26702d65c8 |
| SHA256 | 0e3f5f78f9534e5ee8085d78fb6f4e7a41adebb2fdd88b492534c25bf4d78d0b |
| SHA512 | 96f8708783317f5d1098b9ec4be3c23c4c0715acd30c653447109819dc500a10a327d12c481cb19d5af69b34a9fc2f403cdd48d8a0dd7357086873ecbe18a88a |
memory/1624-15-0x0000000000AA0000-0x0000000000BA0000-memory.dmp
memory/1624-16-0x0000000000930000-0x000000000097C000-memory.dmp
memory/1624-17-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1624-18-0x0000000000400000-0x000000000081C000-memory.dmp
memory/1624-19-0x00000000028F0000-0x0000000002948000-memory.dmp
memory/1624-20-0x0000000004F00000-0x00000000054A4000-memory.dmp
memory/1624-21-0x0000000004E20000-0x0000000004E76000-memory.dmp
memory/1624-22-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-29-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-85-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-83-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-79-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-77-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-75-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-73-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-71-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-69-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-67-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-65-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-61-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-59-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-57-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-55-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-53-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-51-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-49-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-47-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-45-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-43-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-41-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-37-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-35-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-34-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-31-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-27-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-25-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-23-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-81-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-63-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-39-0x0000000004E20000-0x0000000004E71000-memory.dmp
memory/1624-2150-0x0000000005720000-0x000000000572A000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/5152-2163-0x0000000000250000-0x000000000025A000-memory.dmp
memory/1624-2165-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1624-2166-0x0000000000400000-0x000000000081C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe
| MD5 | 93e278c689042dee812fcebfcbe6308b |
| SHA1 | f956bbd31ab7203af9174b25bea75ec6ebc92501 |
| SHA256 | a3a28037241c25dbfb35c011279c7ab29dc89783f4da3a4d968b52d66a54e73a |
| SHA512 | a1de1cf64aafabc84746d12947936841276635132827e21500183adcfcdc25787658255612e14b9c430f3208a508c1b4374799b025f416724d9a1f9d45c46a85 |
memory/5612-2171-0x0000000002870000-0x00000000028D8000-memory.dmp
memory/5612-2172-0x0000000005540000-0x00000000055A6000-memory.dmp
memory/5612-4319-0x0000000005750000-0x0000000005782000-memory.dmp
memory/5612-4320-0x0000000005790000-0x0000000005822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe
| MD5 | 16cf18c8ef1d4be89b36e27c8fb88e9d |
| SHA1 | 7811ba84f75a1adc6d995c2c1121ec996d1cc003 |
| SHA256 | 116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8 |
| SHA512 | 4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd |
memory/5240-4326-0x0000000000D90000-0x0000000000DC0000-memory.dmp
memory/5240-4327-0x0000000005670000-0x0000000005676000-memory.dmp
memory/5240-4328-0x0000000005D50000-0x0000000006368000-memory.dmp
memory/5240-4329-0x0000000005840000-0x000000000594A000-memory.dmp
memory/5240-4330-0x0000000005700000-0x0000000005712000-memory.dmp
memory/5240-4331-0x0000000005770000-0x00000000057AC000-memory.dmp
memory/5240-4332-0x00000000057C0000-0x000000000580C000-memory.dmp