Overview

overview

10

Static

static

3

06cc922bbf...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06cc922bbf2a4da7d68c682c7111ea00_NeikiAnalytics.exe

  • Size

    479KB

  • MD5

    06cc922bbf2a4da7d68c682c7111ea00

  • SHA1

    01c61c8bd76b8a2e939b4f24d40674d5692a0634

  • SHA256

    33232f657301f06deca16f7e078f6a7e082a0bd1837ed92fefec89b1b6eab906

  • SHA512

    c0cd35bc30ee1171d60a74444a0cb12db66a2e1c5034f4c6565eaaf0619931053a1afa74a37cdadbd39c995f36b258849c486a6983896eb678daab046dcb9622

  • SSDEEP

    6144:K5y+bnr+Vp0yN90QEBVXjr+vQkofbHDUShI811MPZPP9jKONDhFHwjqekrkGL:HMrRy90lzSLEHDFIQ1iP95DXgqbrky

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06cc922bbf2a4da7d68c682c7111ea00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\06cc922bbf2a4da7d68c682c7111ea00_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9477257.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9477257.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5433425.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5433425.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6495021.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6495021.exe
        3⤵
        • Executes dropped EXE
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9477257.exe
    Filesize

    307KB

    MD5

    4dae8b133c57c27e1bf01757cb9d33ed

    SHA1

    0542ca27850cf2c12e83e0401d63e2e28cd42810

    SHA256

    d509d8a8b98727fb2c80240e14ceb2e2f1a84cca70810a8d52903a267ab0781c

    SHA512

    51cd17d53bdd97c2eb7e10819969f44a7943f373484ab59357f46ccc68e2bf128574056c7e00452db6b7720885e6cf8593eb109aebb7246ced0be569a8cfe19f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5433425.exe
    Filesize

    180KB

    MD5

    15811fa130faf6ade865ed3ff4cd99d6

    SHA1

    e75b07327f739516c95acfc38f10fa1f9eaa0bb1

    SHA256

    1c34d40d440b840b3520515b7f4fcbdcfbfe16beca8487210fa959379a3411e0

    SHA512

    2b8893132471ad4dfef677ada7dbea9f6bc6be46c65181c803f3a54660a5bd4b6781f05f1938104493f8dfcf38c08403e7cd96d7aa4b42ee4cf5522ef3bbf538

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6495021.exe
    Filesize

    168KB

    MD5

    bb7093762effc7c49c358b7047f7764d

    SHA1

    81a880b3e2e100008a1452a127d659571c4fa72a

    SHA256

    3d56ab8fefb64130e148bac7e3add9bdd81efcbde224305b7f6abc6a3a047b08

    SHA512

    7cd3db72985f1a34a01fc6e916607adca5d67186a99a0c7299f5cc16e33927c7ee37568999e2d7c4751b3f76d1bad60836827e225223c29838727165f2c78d1b

    Download Submit

  • memory/692-28-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-17-0x0000000004A50000-0x0000000004FF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/692-24-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-18-0x0000000002430000-0x0000000002448000-memory.dmp

    Filesize

    96KB

    Download

  • memory/692-42-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-46-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-44-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-40-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-38-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-36-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-34-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-32-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-30-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-15-0x0000000002140000-0x000000000215A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/692-26-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-16-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/692-22-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-20-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-19-0x0000000002430000-0x0000000002442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/692-47-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/692-48-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/692-50-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/692-14-0x00000000747DE000-0x00000000747DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1556-54-0x00000000009B0000-0x00000000009E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1556-55-0x00000000052D0000-0x00000000052D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1556-56-0x00000000059D0000-0x0000000005FE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1556-58-0x0000000005320000-0x0000000005332000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1556-59-0x00000000053B0000-0x00000000053EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1556-57-0x00000000054C0000-0x00000000055CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1556-60-0x00000000053F0000-0x000000000543C000-memory.dmp

    Filesize

    304KB

    Download