Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe
-
Size
855KB
-
MD5
6930cffe3d9c4fcb467cd4be91e865b0
-
SHA1
6a96e61ec3ce3b25150adad642d5b0aac034041b
-
SHA256
e958c060aeac484632b20e3e4dc93af45eb61f483ced432778ddfc5ec9acd552
-
SHA512
5b27fe5294533d32f07a3c8c2134fdc481b13d069b819b4cf999f2cc3e5845bba2dd85023e82cfe90ba1311ea3d9a6d8f3491f6f27ed0c9c911d22f53746e42a
-
SSDEEP
24576:vxLsMs8WdDP89WPncPKXCTu/wJUHIXX4u5:tsldI9WPcyQcIX4A
Malware Config
Extracted
redline
cheat
185.222.58.55:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2588-33-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2588-36-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2588-31-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2588-40-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2588-38-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2588-33-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2588-36-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2588-31-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2588-40-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2588-38-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
Processes:
PO.exePO.exepid process 2680 PO.exe 2588 PO.exe -
Loads dropped DLL 5 IoCs
Processes:
6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exePO.exepid process 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe 2680 PO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 2680 set thread context of 2588 2680 PO.exe PO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
PO.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 PO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 PO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 PO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 PO.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PO.exepowershell.exePO.exepid process 2680 PO.exe 2680 PO.exe 2680 PO.exe 2680 PO.exe 2540 powershell.exe 2588 PO.exe 2588 PO.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO.exePO.exepowershell.exedescription pid process Token: SeDebugPrivilege 2680 PO.exe Token: SeDebugPrivilege 2588 PO.exe Token: SeDebugPrivilege 2540 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1256 DllHost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exePO.exedescription pid process target process PID 1148 wrote to memory of 2680 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe PO.exe PID 1148 wrote to memory of 2680 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe PO.exe PID 1148 wrote to memory of 2680 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe PO.exe PID 1148 wrote to memory of 2680 1148 6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe PO.exe PID 2680 wrote to memory of 2540 2680 PO.exe powershell.exe PID 2680 wrote to memory of 2540 2680 PO.exe powershell.exe PID 2680 wrote to memory of 2540 2680 PO.exe powershell.exe PID 2680 wrote to memory of 2540 2680 PO.exe powershell.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe PID 2680 wrote to memory of 2588 2680 PO.exe PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6930cffe3d9c4fcb467cd4be91e865b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cab628C.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpgFilesize
83KB
MD5016025125f3b479aaabf8a4246073856
SHA1123cf64214f2ba96dedc076d388ddf60d2ec5ce5
SHA25639f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca
SHA5124c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b
-
C:\Users\Admin\AppData\Local\Temp\Tar62DD.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\tmp64FF.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp6514.tmpFilesize
92KB
MD5b62ac03881848df6115ec34b7e71e829
SHA1dd6a9fbe6ae809269c02165027eeb373f7734460
SHA2569870a75eee4a9c3b6b69f11a92b3a821f7026175483855497956d27bba9993d5
SHA5125257b9e3b6dc0022144bf5be29a4ce3a836af7b4ed83dc19d4c69bc677bcf87e417737ff97742a128d35bb4ddd1c4ef80f4dd4ed656cad3cdccd753fc1e3c3aa
-
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exeFilesize
553KB
MD59093edf1e63b2b7ef4902d23edcc9d7e
SHA1122d585a2a769760854021aa9644e361e88a0e93
SHA2566fecc3fa2e33a161f2b9770322e998d7d4836202e8ad9c53c38f10673f718f4f
SHA5124c58ae5bac5a4d037be0bcefb7dcde358c8ed97feeaad07258b46700f71ea136f1adfe5b9e6c0d16c52be84a503a2dfb2e0970fd53cbb84b035175d1b21a7f10
-
memory/1148-4-0x0000000002580000-0x0000000002582000-memory.dmpFilesize
8KB
-
memory/1256-5-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1256-6-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1256-184-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/2588-33-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2588-36-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2588-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2588-31-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2588-29-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2588-40-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2588-38-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2588-27-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2680-25-0x0000000000E80000-0x0000000000EE0000-memory.dmpFilesize
384KB
-
memory/2680-24-0x0000000000A00000-0x0000000000A10000-memory.dmpFilesize
64KB
-
memory/2680-23-0x0000000000550000-0x000000000056E000-memory.dmpFilesize
120KB
-
memory/2680-21-0x0000000001150000-0x00000000011DC000-memory.dmpFilesize
560KB