Malware Analysis Report

2024-10-16 03:51

Sample ID 240509-2r3rpsee25
Target 15af2dc825a983bccd01fc6a43226810_NeikiAnalytics
SHA256 0f08729e15fe0369d56d293f705e27bdf8ef095b2d7fd36c7c852f9a61b86c00
Tags
healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f08729e15fe0369d56d293f705e27bdf8ef095b2d7fd36c7c852f9a61b86c00

Threat Level: Known bad

The file 15af2dc825a983bccd01fc6a43226810_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

healer redline zgrat dropper evasion infostealer persistence rat trojan

Modifies Windows Defender Real-time Protection settings

Detect ZGRat V1

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

ZGRat

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 22:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 22:49

Reported

2024-05-09 22:52

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe
PID 4248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe
PID 4248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe
PID 2192 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe
PID 2192 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe
PID 2192 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe
PID 2192 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe
PID 2192 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe
PID 2192 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\15af2dc825a983bccd01fc6a43226810_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un993049.exe

MD5 d08a0e32f2dd61184a9b5bc20579de6f
SHA1 9c9914303b0a751abebc24cbc958585a4fd1dce8
SHA256 460af633a14556d5dc52359f7eac5c1d1b68cf5e60d992003df94f671c175611
SHA512 b5eaca793c4a4b151c67bfeaa26e64a084d300a7ec311ee645287b21fed44cc436ebb5bbfc6ad70da9fa03e928e77d425caa709e98e0c35fda1373da965fd22e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08517523.exe

MD5 1c118f3478d8f496e0b351e3b65a3e89
SHA1 b5a8118c1318ad4451de4594931ed97f9ba0bc5b
SHA256 cb1d3d23c82bed86e9db8cdc4681dd9f81fb86ca62ee2a3aa0d73d6c92acc311
SHA512 4b7524542cac9e317ac1264101c12172e75eb34893f81539530a7e61d1d326555ce7aa191b5d48cee2606b2e5728ccfc01245010eda7b919c2ac70fe8130b7d2

memory/4632-15-0x0000000002C00000-0x0000000002D00000-memory.dmp

memory/4632-16-0x0000000002D00000-0x0000000002D2D000-memory.dmp

memory/4632-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4632-18-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4632-19-0x0000000004A60000-0x0000000004A7A000-memory.dmp

memory/4632-20-0x0000000007390000-0x0000000007934000-memory.dmp

memory/4632-21-0x0000000007270000-0x0000000007288000-memory.dmp

memory/4632-22-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-27-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-49-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-47-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-45-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-41-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-39-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-37-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-36-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-33-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-31-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-29-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-25-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-23-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-43-0x0000000007270000-0x0000000007283000-memory.dmp

memory/4632-51-0x0000000002C00000-0x0000000002D00000-memory.dmp

memory/4632-52-0x0000000002D00000-0x0000000002D2D000-memory.dmp

memory/4632-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4632-56-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4632-58-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk204231.exe

MD5 d08cc1bc8f11f7874716c900958ba5aa
SHA1 17105f807d5de16fa5a8e089a7cbf36e5345ee4c
SHA256 e40790bb229c7de8b8415245604e2a776a3249930b8cb3e798d2e146cf988ff7
SHA512 38ff73bfc5c95d37fc4268d129b610f112fafc5181ebb4c95c73c5343a9725bd7c78f934ffd8f93a5432db7dd8ea34b3fef18bfb5165f7a4bcb609149c520cb4

memory/3364-63-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

memory/3364-64-0x0000000007740000-0x000000000777A000-memory.dmp

memory/3364-65-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-82-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-80-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-96-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-95-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-90-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-88-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-84-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-78-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-76-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-74-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-72-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-70-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-68-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-92-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-86-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-66-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3364-857-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/3364-858-0x000000000A330000-0x000000000A342000-memory.dmp

memory/3364-859-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/3364-860-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/3364-861-0x000000000A5F0000-0x000000000A63C000-memory.dmp