Malware Analysis Report

2024-10-16 03:50

Sample ID 240508-tfv9gscd7v
Target fcc1584f1926d09667e8eff1649a1270_NEIKI
SHA256 02b90bc7cf5a91d558cd6cca8f15811367dcccbe0bb3b6bb91957492770540bd
Tags
healer redline dark dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02b90bc7cf5a91d558cd6cca8f15811367dcccbe0bb3b6bb91957492770540bd

Threat Level: Known bad

The file fcc1584f1926d09667e8eff1649a1270_NEIKI was found to be: Known bad.

Malicious Activity Summary

healer redline dark dropper evasion infostealer persistence trojan

Healer

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 16:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 16:00

Reported

2024-05-08 16:03

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3616 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe
PID 3616 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe
PID 3616 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe
PID 4628 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe
PID 4628 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe
PID 4628 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe
PID 1624 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe C:\Windows\Temp\1.exe
PID 1624 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe C:\Windows\Temp\1.exe
PID 4628 wrote to memory of 5612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe
PID 4628 wrote to memory of 5612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe
PID 4628 wrote to memory of 5612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe
PID 3616 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe
PID 3616 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe
PID 3616 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\fcc1584f1926d09667e8eff1649a1270_NEIKI.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5612 -ip 5612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un300244.exe

MD5 96706b8b632ee3431c548020eb16d8ad
SHA1 1c4d60afd010924901313f05fbaa32ab0f19aed9
SHA256 36d8836cae2cd11b6e2567501db76d02ce2342da657cc97928ede554b8a66066
SHA512 43de98b07f08d220b5ca77fa2d6323f4aa17fbaee7f938328f8fb897d5ab1d34a4e06fcb990542716985326daf8706788030bba9bce00ca53d93b8a5b6848b69

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78656478.exe

MD5 be0d413153569192f050beb48b0a2572
SHA1 909732a2eb3617bcc1af584a0a7ead26702d65c8
SHA256 0e3f5f78f9534e5ee8085d78fb6f4e7a41adebb2fdd88b492534c25bf4d78d0b
SHA512 96f8708783317f5d1098b9ec4be3c23c4c0715acd30c653447109819dc500a10a327d12c481cb19d5af69b34a9fc2f403cdd48d8a0dd7357086873ecbe18a88a

memory/1624-15-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

memory/1624-16-0x0000000000930000-0x000000000097C000-memory.dmp

memory/1624-17-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1624-18-0x0000000000400000-0x000000000081C000-memory.dmp

memory/1624-19-0x00000000028F0000-0x0000000002948000-memory.dmp

memory/1624-20-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/1624-21-0x0000000004E20000-0x0000000004E76000-memory.dmp

memory/1624-22-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-29-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-85-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-83-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-79-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-77-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-75-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-73-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-71-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-69-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-67-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-65-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-61-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-59-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-57-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-55-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-53-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-51-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-49-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-47-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-45-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-43-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-41-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-37-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-35-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-34-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-31-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-27-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-25-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-23-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-81-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-63-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-39-0x0000000004E20000-0x0000000004E71000-memory.dmp

memory/1624-2150-0x0000000005720000-0x000000000572A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5152-2163-0x0000000000250000-0x000000000025A000-memory.dmp

memory/1624-2165-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1624-2166-0x0000000000400000-0x000000000081C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk018675.exe

MD5 93e278c689042dee812fcebfcbe6308b
SHA1 f956bbd31ab7203af9174b25bea75ec6ebc92501
SHA256 a3a28037241c25dbfb35c011279c7ab29dc89783f4da3a4d968b52d66a54e73a
SHA512 a1de1cf64aafabc84746d12947936841276635132827e21500183adcfcdc25787658255612e14b9c430f3208a508c1b4374799b025f416724d9a1f9d45c46a85

memory/5612-2171-0x0000000002870000-0x00000000028D8000-memory.dmp

memory/5612-2172-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/5612-4319-0x0000000005750000-0x0000000005782000-memory.dmp

memory/5612-4320-0x0000000005790000-0x0000000005822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si672927.exe

MD5 16cf18c8ef1d4be89b36e27c8fb88e9d
SHA1 7811ba84f75a1adc6d995c2c1121ec996d1cc003
SHA256 116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8
SHA512 4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

memory/5240-4326-0x0000000000D90000-0x0000000000DC0000-memory.dmp

memory/5240-4327-0x0000000005670000-0x0000000005676000-memory.dmp

memory/5240-4328-0x0000000005D50000-0x0000000006368000-memory.dmp

memory/5240-4329-0x0000000005840000-0x000000000594A000-memory.dmp

memory/5240-4330-0x0000000005700000-0x0000000005712000-memory.dmp

memory/5240-4331-0x0000000005770000-0x00000000057AC000-memory.dmp

memory/5240-4332-0x00000000057C0000-0x000000000580C000-memory.dmp