healer | 9e6840bd3bfa0c2d9dfc16193a3b67abf16bf84ffe374e1276540d1b8f3dd9fc

General

Target

0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe
Size

539KB
MD5

0a62172ecf9e400da1d1e36aec9ad750
SHA1

be2da4c89ce1379381587b261cb128b2dfbd05ea
SHA256

9e6840bd3bfa0c2d9dfc16193a3b67abf16bf84ffe374e1276540d1b8f3dd9fc
SHA512

e1006419e103d629277090c24d892efb8e60304bbc578266dd8ee87a1d13f437ebca5e4a872b28f20124efc9c16873e0caecedea685a8ce084213507be25b215
SSDEEP

12288:FQCy90Yh85xXh8uOm0i8TmUSMYPOsjmMrTF3VHp7:3y3h4tOGPOsjxF/

Score

10^/10

healer redline down dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe	healer
behavioral1/memory/4688-14-0x0000000000100000-0x000000000010A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr843883.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr843883.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr843883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr843883.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4548-21-0x00000000049B0000-0x00000000049F6000-memory.dmp	family_redline
behavioral1/memory/4548-23-0x00000000072B0000-0x00000000072F4000-memory.dmp	family_redline
behavioral1/memory/4548-27-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-33-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-31-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-29-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-61-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-51-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-41-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-25-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-24-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-37-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-87-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-85-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-83-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-81-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-79-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-77-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-75-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-73-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-71-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-69-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-67-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-65-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-63-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-59-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-57-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-55-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-53-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-49-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-47-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-45-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-43-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-39-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline
behavioral1/memory/4548-35-0x00000000072B0000-0x00000000072EE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

zioS8112.exejr843883.exeku603074.exe

pid process

2164 zioS8112.exe
4688 jr843883.exe
4548 ku603074.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr843883.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr843883.exe

pid	process
2164	zioS8112.exe
4688	jr843883.exe
4548	ku603074.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr843883.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exezioS8112.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zioS8112.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr843883.exe

pid process

4688 jr843883.exe
4688 jr843883.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr843883.exeku603074.exe

description pid process

Token: SeDebugPrivilege 4688 jr843883.exe
Token: SeDebugPrivilege 4548 ku603074.exe

pid	process
4688	jr843883.exe
4688	jr843883.exe

description	pid	process
Token: SeDebugPrivilege	4688	jr843883.exe
Token: SeDebugPrivilege	4548	ku603074.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exezioS8112.exe

description	pid	process	target process
PID 1696 wrote to memory of 2164	1696	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe	zioS8112.exe
PID 1696 wrote to memory of 2164	1696	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe	zioS8112.exe
PID 1696 wrote to memory of 2164	1696	0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe	zioS8112.exe
PID 2164 wrote to memory of 4688	2164	zioS8112.exe	jr843883.exe
PID 2164 wrote to memory of 4688	2164	zioS8112.exe	jr843883.exe
PID 2164 wrote to memory of 4548	2164	zioS8112.exe	ku603074.exe
PID 2164 wrote to memory of 4548	2164	zioS8112.exe	ku603074.exe
PID 2164 wrote to memory of 4548	2164	zioS8112.exe	ku603074.exe

C:\Users\Admin\AppData\Local\Temp\0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a62172ecf9e400da1d1e36aec9ad750_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioS8112.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioS8112.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku603074.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku603074.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioS8112.exe
Filesize
396KB

MD5
c7862c80a78bedc7318792a04865087f

SHA1
7f8b619d60ac89da3d212db71a0753d4bc0b3cf0

SHA256
8402d3c51804699a1dad4e6f5cfcea8aa91cdc812c0ec0ed944641a655a4dcdb

SHA512
da92687f4ba21a7a40daced52fea13c5219eedbb39859120c76b87c367df1256d6858af7312e8e32376415b432432aaa20169c5679b319a8f3a5d2d44798d59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr843883.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku603074.exe
Filesize
355KB

MD5
3ec1f598da845cd62d13f4e94d836892

SHA1
a7e298c415a068e7b0f5ec114e7066ef883ed31d

SHA256
73b52cf52d7a8813ab1e45d686ceb741944df779ebcec5916c8bb97d03365798

SHA512
bbd3f0e6d9af08f0a6bc245653144fdea533ca8b1cff912413142e9e8cf4444e058796ddfa87fa9742f2ea50fc9e3ab4e1205ecb8e35f2e9a1e5f4dff349cb25

Download Submit
memory/4548-79-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-22-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/4548-21-0x00000000049B0000-0x00000000049F6000-memory.dmp

Filesize
280KB

Download
memory/4548-75-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-23-0x00000000072B0000-0x00000000072F4000-memory.dmp

Filesize
272KB

Download
memory/4548-27-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-33-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-31-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-29-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-61-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-51-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-41-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-25-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-24-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-37-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-73-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-85-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-83-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-81-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-934-0x0000000008250000-0x000000000829C000-memory.dmp

Filesize
304KB

Download
memory/4548-933-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/4548-77-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-87-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-71-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-69-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-67-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-65-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-63-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-59-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-57-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-55-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-53-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-49-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-47-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-45-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-43-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-39-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-35-0x00000000072B0000-0x00000000072EE000-memory.dmp

Filesize
248KB

Download
memory/4548-930-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/4548-931-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/4548-932-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/4688-15-0x00007FFF0B0E3000-0x00007FFF0B0E5000-memory.dmp

Filesize
8KB

Download
memory/4688-14-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads