Malware Analysis Report

2024-10-16 03:47

Sample ID 240509-sr14fabf45
Target 715b0b4d5559bec60514dfe136a03460_NeikiAnalytics
SHA256 ad919110ee13402451a9608b60f6f05c353c830b4d49d6bfd4fb723bb66421c7
Tags
healer redline morty dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad919110ee13402451a9608b60f6f05c353c830b4d49d6bfd4fb723bb66421c7

Threat Level: Known bad

The file 715b0b4d5559bec60514dfe136a03460_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

healer redline morty dropper evasion infostealer persistence trojan

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 15:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 15:22

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
PID 2996 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
PID 2996 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
PID 940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
PID 940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
PID 940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
PID 940 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
PID 940 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
PID 940 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe

Processes

C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.179:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 179.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.196.179:443 www.bing.com tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe

MD5 c72b51e9396e3560ee77227b3aca58e0
SHA1 5ed660f289156d0296490b4e42c94471db7f4330
SHA256 6e6113efb8d2ac46560561b1454f78d94894792d369632b1f2dbc3b0123aa683
SHA512 0f3769f9ac64ff3652e2630f1540d59cf70cab2c5624f017a09517895534254a018f6f978220e0888d5590aa8b811fa4f1520fc4860d7572e06e98b11b146ad0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe

MD5 4e273ee54a407e84a6df1a8183727d35
SHA1 dfa0af2ef73ca96f24015aedc8cc2fc4bd189914
SHA256 1c486a6da10c5dad2478130c2613c816d903a1f441f8f950d63b13ebcc52448b
SHA512 a46d53a824724b050ce791b9122df29fbc05bc4c16ee5f16a41ec28c43e8ea51dd94e56a0ddc10b77e79dffc92346b8957ff6afbcd620514cbe71ffa32653375

memory/2204-14-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

memory/2204-15-0x0000000002190000-0x00000000021AA000-memory.dmp

memory/2204-17-0x00000000049A0000-0x0000000004F44000-memory.dmp

memory/2204-16-0x0000000073F90000-0x0000000074740000-memory.dmp

memory/2204-18-0x0000000002460000-0x0000000002478000-memory.dmp

memory/2204-46-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-44-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-40-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-47-0x0000000073F90000-0x0000000074740000-memory.dmp

memory/2204-30-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-24-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-22-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-20-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-19-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-42-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-38-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-36-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-34-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-32-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-28-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-26-0x0000000002460000-0x0000000002472000-memory.dmp

memory/2204-49-0x0000000073F90000-0x0000000074740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe

MD5 2e700cbfaa9fc12b0ee21f829e859d6b
SHA1 f180b969f1f1cbabe6a64983ade51bcd7c1ef76b
SHA256 dfa7318a2783adfdfa039cb4980e151693218bef33f253ef38dc39173adfd408
SHA512 63d08aa792b5973147796b593fa6c0c193c1c439ebfa8e1a190d28e7752ade5a0a54d962f1333463ca9e4cafd2f20d9e7165dd6f8fb1e0ba16e5b202174cb5d1

memory/1716-53-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

memory/1716-54-0x00000000014E0000-0x00000000014E6000-memory.dmp

memory/1716-55-0x0000000005B80000-0x0000000006198000-memory.dmp

memory/1716-56-0x0000000005670000-0x000000000577A000-memory.dmp

memory/1716-57-0x0000000005560000-0x0000000005572000-memory.dmp

memory/1716-58-0x00000000055C0000-0x00000000055FC000-memory.dmp

memory/1716-59-0x0000000005600000-0x000000000564C000-memory.dmp