Analysis Overview
SHA256
ad919110ee13402451a9608b60f6f05c353c830b4d49d6bfd4fb723bb66421c7
Threat Level: Known bad
The file 715b0b4d5559bec60514dfe136a03460_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 15:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 15:22
Reported
2024-05-09 15:24
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.179:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| BE | 2.17.196.179:443 | www.bing.com | tcp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 104.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
| MD5 | c72b51e9396e3560ee77227b3aca58e0 |
| SHA1 | 5ed660f289156d0296490b4e42c94471db7f4330 |
| SHA256 | 6e6113efb8d2ac46560561b1454f78d94894792d369632b1f2dbc3b0123aa683 |
| SHA512 | 0f3769f9ac64ff3652e2630f1540d59cf70cab2c5624f017a09517895534254a018f6f978220e0888d5590aa8b811fa4f1520fc4860d7572e06e98b11b146ad0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
| MD5 | 4e273ee54a407e84a6df1a8183727d35 |
| SHA1 | dfa0af2ef73ca96f24015aedc8cc2fc4bd189914 |
| SHA256 | 1c486a6da10c5dad2478130c2613c816d903a1f441f8f950d63b13ebcc52448b |
| SHA512 | a46d53a824724b050ce791b9122df29fbc05bc4c16ee5f16a41ec28c43e8ea51dd94e56a0ddc10b77e79dffc92346b8957ff6afbcd620514cbe71ffa32653375 |
memory/2204-14-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/2204-15-0x0000000002190000-0x00000000021AA000-memory.dmp
memory/2204-17-0x00000000049A0000-0x0000000004F44000-memory.dmp
memory/2204-16-0x0000000073F90000-0x0000000074740000-memory.dmp
memory/2204-18-0x0000000002460000-0x0000000002478000-memory.dmp
memory/2204-46-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-44-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-40-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-47-0x0000000073F90000-0x0000000074740000-memory.dmp
memory/2204-30-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-24-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-22-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-20-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-19-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-42-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-38-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-36-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-34-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-32-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-28-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-26-0x0000000002460000-0x0000000002472000-memory.dmp
memory/2204-49-0x0000000073F90000-0x0000000074740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
| MD5 | 2e700cbfaa9fc12b0ee21f829e859d6b |
| SHA1 | f180b969f1f1cbabe6a64983ade51bcd7c1ef76b |
| SHA256 | dfa7318a2783adfdfa039cb4980e151693218bef33f253ef38dc39173adfd408 |
| SHA512 | 63d08aa792b5973147796b593fa6c0c193c1c439ebfa8e1a190d28e7752ade5a0a54d962f1333463ca9e4cafd2f20d9e7165dd6f8fb1e0ba16e5b202174cb5d1 |
memory/1716-53-0x0000000000BD0000-0x0000000000BFE000-memory.dmp
memory/1716-54-0x00000000014E0000-0x00000000014E6000-memory.dmp
memory/1716-55-0x0000000005B80000-0x0000000006198000-memory.dmp
memory/1716-56-0x0000000005670000-0x000000000577A000-memory.dmp
memory/1716-57-0x0000000005560000-0x0000000005572000-memory.dmp
memory/1716-58-0x00000000055C0000-0x00000000055FC000-memory.dmp
memory/1716-59-0x0000000005600000-0x000000000564C000-memory.dmp