Overview

overview

10

Static

static

3

15af2dc825...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe

  • Size

    694KB

  • MD5

    15af2dc825a983bccd01fc6a43226810

  • SHA1

    4785010bc357c06fd4bd0402dd5b5d205dedab32

  • SHA256

    0f08729e15fe0369d56d293f705e27bdf8ef095b2d7fd36c7c852f9a61b86c00

  • SHA512

    04f22b3474497919d034096f4930b451cfb23cd218579e8b3514af345b4f360c3f49784218416c3ee58d06d029b4cff46b088dd68bfecf1b31fc214a8ad75498

  • SSDEEP

    12288:Gy90SEzldUgrwhFTxp8onXRlMoKWR6F918byKMA+oEM9+L:GyVEzldnKFf8kXbMo96F918byrLqM

Score
10/10
healerredlinezgratdropperevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • Detect ZGRat V1 19 IoCs
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1088
          4⤵
          • Program crash
          PID:448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3364
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4852
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4632 -ip 4632
      1⤵
        PID:1512

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe
        Filesize

        540KB

        MD5

        d08a0e32f2dd61184a9b5bc20579de6f

        SHA1

        9c9914303b0a751abebc24cbc958585a4fd1dce8

        SHA256

        460af633a14556d5dc52359f7eac5c1d1b68cf5e60d992003df94f671c175611

        SHA512

        b5eaca793c4a4b151c67bfeaa26e64a084d300a7ec311ee645287b21fed44cc436ebb5bbfc6ad70da9fa03e928e77d425caa709e98e0c35fda1373da965fd22e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe
        Filesize

        258KB

        MD5

        1c118f3478d8f496e0b351e3b65a3e89

        SHA1

        b5a8118c1318ad4451de4594931ed97f9ba0bc5b

        SHA256

        cb1d3d23c82bed86e9db8cdc4681dd9f81fb86ca62ee2a3aa0d73d6c92acc311

        SHA512

        4b7524542cac9e317ac1264101c12172e75eb34893f81539530a7e61d1d326555ce7aa191b5d48cee2606b2e5728ccfc01245010eda7b919c2ac70fe8130b7d2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe
        Filesize

        340KB

        MD5

        d08cc1bc8f11f7874716c900958ba5aa

        SHA1

        17105f807d5de16fa5a8e089a7cbf36e5345ee4c

        SHA256

        e40790bb229c7de8b8415245604e2a776a3249930b8cb3e798d2e146cf988ff7

        SHA512

        38ff73bfc5c95d37fc4268d129b610f112fafc5181ebb4c95c73c5343a9725bd7c78f934ffd8f93a5432db7dd8ea34b3fef18bfb5165f7a4bcb609149c520cb4

        Download Submit

      • memory/3364-72-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-74-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-858-0x000000000A330000-0x000000000A342000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3364-857-0x0000000009C70000-0x000000000A288000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3364-66-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-86-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-92-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-68-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-70-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-860-0x000000000A470000-0x000000000A4AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3364-861-0x000000000A5F0000-0x000000000A63C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3364-859-0x000000000A350000-0x000000000A45A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3364-76-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-78-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-84-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-88-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-90-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-95-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-96-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-80-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-82-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-65-0x0000000007740000-0x0000000007775000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3364-64-0x0000000007740000-0x000000000777A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/3364-63-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4632-45-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-58-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4632-56-0x0000000000400000-0x0000000002B9B000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/4632-53-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4632-52-0x0000000002D00000-0x0000000002D2D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4632-51-0x0000000002C00000-0x0000000002D00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4632-43-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-23-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-25-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-29-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-31-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-33-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-36-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-37-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-39-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-41-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-47-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-49-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-27-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-22-0x0000000007270000-0x0000000007283000-memory.dmp

        Filesize

        76KB

        Download

      • memory/4632-21-0x0000000007270000-0x0000000007288000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4632-20-0x0000000007390000-0x0000000007934000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4632-19-0x0000000004A60000-0x0000000004A7A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4632-18-0x0000000000400000-0x0000000002B9B000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/4632-17-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4632-16-0x0000000002D00000-0x0000000002D2D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4632-15-0x0000000002C00000-0x0000000002D00000-memory.dmp

        Filesize

        1024KB

        Download