Overview

overview

10

Static

static

3

7903417a44...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7903417a4425e5f819fdca4ddb5a4ae0_NeikiAnalytics.exe

  • Size

    479KB

  • MD5

    7903417a4425e5f819fdca4ddb5a4ae0

  • SHA1

    42be90bb5600574abb0b37113b65b32d6388b7ff

  • SHA256

    aee53fccee33b73dab9491356e6eb50d71b3b380ca589b649b6ec63ff792c3da

  • SHA512

    11fff0808094ce693e9af5c1f3544f8efad57f5014959329a41d5d76ff92f9be45a3963b9307cfa829694d743f86b1c56f342b38f4f52d5f602339e5bca05fbf

  • SSDEEP

    12288:qMrSy90q5EwvocAm820Gfl6pleAG/R/7hhVecnO:syMuocdMy8Hel/R/7hJO

Score
10/10
healerredlinedivandropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes
  • auth_value

    b414986bebd7f5a3ec9aee0341b8e769

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7903417a4425e5f819fdca4ddb5a4ae0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7903417a4425e5f819fdca4ddb5a4ae0_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3225558.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3225558.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8186776.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8186776.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4676310.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4676310.exe
        3⤵
        • Executes dropped EXE
        PID:3284
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
    1⤵
      PID:4436

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3225558.exe
      Filesize

      307KB

      MD5

      4e3028d73450917c9d4202d11f59af5e

      SHA1

      9c454cfb375b12c6facdb030ca7a694a3361dd9e

      SHA256

      9d5d42852e8fc887bdcdeb449a1a01182991239cc10c886cc2cccd626ad6091c

      SHA512

      0b9b8192d02cc807a4ae129c358977b8c1c646309cdf0ca9d32562b68efd4f77c341d30e5027f0df802602d2156f8098bf9349c03afda31a443003bb4d28bdf7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8186776.exe
      Filesize

      181KB

      MD5

      d6a2a942efe90705be2ea8b373152592

      SHA1

      ac53b99a209b41ff2dfd8557b5abd22443ebcc1f

      SHA256

      26d09c7f5bb7eeaa5f1ceebdbf8092069a4957d25ce706e134db5533c35ba92f

      SHA512

      a9024620f7165fba326bcd087435ffad0e65ec7dc010c74fc79a69119db47ad070efd8c8e58496711d56bda26d06cea4b89279e7fa2a9bfe3615292552104220

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4676310.exe
      Filesize

      168KB

      MD5

      8a600b97912d60d7eefcb10006627b0a

      SHA1

      eaf4f0a0415ed7d43aae737cf3e54fd5a8e0ce7d

      SHA256

      ce85782c43c4f981523a26f465705bf3481afc481cdf85cc17a55d1c4e463ff8

      SHA512

      5b33a53d0c7fda35fcc9c92d87819f7f83d0ce367b91cdca1a437fa5bc0354f1195d2d0044ae155ab4852ef600879442c57abf90481d5d43830891023302aa0b

      Download Submit
    • memory/2012-31-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-17-0x0000000004B50000-0x00000000050F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2012-27-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-18-0x0000000002630000-0x0000000002648000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2012-19-0x0000000074430000-0x0000000074BE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2012-47-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-45-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-43-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-41-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-39-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-37-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-35-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-33-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-15-0x0000000002460000-0x000000000247A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2012-29-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-16-0x0000000074430000-0x0000000074BE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2012-25-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-23-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-21-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-20-0x0000000002630000-0x0000000002642000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2012-48-0x0000000074430000-0x0000000074BE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2012-50-0x0000000074430000-0x0000000074BE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2012-14-0x000000007443E000-0x000000007443F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3284-54-0x0000000000520000-0x000000000054E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3284-55-0x00000000028A0000-0x00000000028A6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3284-56-0x0000000005670000-0x0000000005C88000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3284-57-0x0000000005160000-0x000000000526A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3284-58-0x0000000004ED0000-0x0000000004EE2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3284-59-0x0000000005050000-0x000000000508C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3284-60-0x0000000005090000-0x00000000050DC000-memory.dmp
      Filesize

      304KB

      Download