Overview

overview

10

Static

static

3

27650526c8...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27650526c893d78dfa8b90b5c6233330_NeikiAnalytics.exe

  • Size

    479KB

  • MD5

    27650526c893d78dfa8b90b5c6233330

  • SHA1

    a44b1cf9fd805793ac25c04422018bc295965509

  • SHA256

    3d94a69915db5486a64d3447a4ed5613998fc8b3096fdbd1d25e2dc030b883da

  • SHA512

    c4d2ef206cdd269a6a7d7a8d84dce3d5465a97ef60237deaa712919e3688a9c1a0e1831f284d19577c3c90a8f03b657567b278f5744a10254a5b59ca46211497

  • SSDEEP

    12288:7Mrmy900hwhQwrVtZHrILoQebvndzl8XDOdyVEB:NyrwayNILohvn8OQe

Score
10/10
healerredlineditrodropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes
  • auth_value

    8f24ed370a9b24aa28d3d634ea57912e

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27650526c893d78dfa8b90b5c6233330_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\27650526c893d78dfa8b90b5c6233330_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5920556.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5920556.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8811583.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8811583.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2340798.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2340798.exe
        3⤵
        • Executes dropped EXE
        PID:3256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5920556.exe
    Filesize

    307KB

    MD5

    0664ccaa3004015b5747c0249df7f9ae

    SHA1

    b4789d96fc982831482c4ccfdc8bdf34b885e890

    SHA256

    881d984c7270747c56935317548cd71bcc11b8d64b637f9e7e1a4dec75049703

    SHA512

    803d11e7388d421ed9be8cfa1ebcc38093c6e85a6409791cef1e17196e19562254104db298fc10524b68a327f97c89d4520e930e30e169d4d267f49c2930604c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8811583.exe
    Filesize

    178KB

    MD5

    23917669a29f710de5b5a0e9714b886c

    SHA1

    b098437e4a05fcecc131099df87b67b538b435ad

    SHA256

    a915d717e0bd998cdcb55c3376cfa3e38397b46d3dce4884e50a0d9a1dda1b2a

    SHA512

    4ce878ee9bf7461abbdd3e6cc861205b4026c3d8f8f4888ed3c4076ecb296e02f464aa515d6a8ba5f3815c111e2bc67a29700dcd3a27dd56cf253031f6d60d61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2340798.exe
    Filesize

    168KB

    MD5

    5ecbccb64e6d0f82cffcfdce4721e8df

    SHA1

    d64a845af53d34951767ee1d0d16d9392a64816a

    SHA256

    bd84a081db3398e2328a32e6469785459411af4f2865ab3b54b7887bad402701

    SHA512

    3d74fa5f33a298af83d3048a59cfeaf9b2dae5d83ae0aa5a154fc8bfebc1ea5c290afe8f37a7c287119fa0c02538db5435f8d61547836db86475b93da7be1e76

    Download Submit

  • memory/3216-46-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-20-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-28-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-18-0x0000000004980000-0x0000000004998000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3216-26-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-15-0x0000000002020000-0x000000000203A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3216-44-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-42-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-40-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-38-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-36-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-24-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-32-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-30-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-16-0x00000000746B0000-0x0000000074E60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3216-17-0x00000000049E0000-0x0000000004F84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3216-34-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-22-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-19-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3216-47-0x00000000746B0000-0x0000000074E60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3216-49-0x00000000746B0000-0x0000000074E60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3216-14-0x00000000746BE000-0x00000000746BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3256-53-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3256-54-0x00000000056C0000-0x00000000056C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3256-55-0x0000000005E80000-0x0000000006498000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3256-56-0x0000000005970000-0x0000000005A7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3256-57-0x0000000005710000-0x0000000005722000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3256-58-0x00000000058A0000-0x00000000058DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3256-59-0x00000000058E0000-0x000000000592C000-memory.dmp

    Filesize

    304KB

    Download