Overview

overview

10

Static

static

3

cf3320221e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf3320221ed9b81224deb31fcaf64160_NeikiAnalytics.exe

  • Size

    655KB

  • MD5

    cf3320221ed9b81224deb31fcaf64160

  • SHA1

    0fc69b12124b3ae5d1ba4bb9033457055d59921e

  • SHA256

    9df6082404ab208613d4c6bc98abe20a5a288afdc5a5f64e73e97aa7582b2046

  • SHA512

    77bf9703a106e551daca2e00a5b777d7cde8c184435089aee7c3ed91270a3f0f21ec263184320b7e498b879d5fe1bdc5f6c5364e28be4a99329221a47203ffa4

  • SSDEEP

    12288:GMrVy90wCyK1ROhK/1D1wqKtGnf3dsNKI/LX5qI7X2guZGS:fyfFK14MxGqK0nyKI/LJ1mguoS

Score
10/10
healerredlinenormdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.68.70:19073

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf3320221ed9b81224deb31fcaf64160_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\cf3320221ed9b81224deb31fcaf64160_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2998302.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2998302.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7387576.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7387576.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6524421.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6524421.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1376
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8487911.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8487911.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4644
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3835868.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3835868.exe
        3⤵
        • Executes dropped EXE
        PID:1428
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2998302.exe
    Filesize

    554KB

    MD5

    7d7b5fc32838e3cd45406d65571bc325

    SHA1

    0cb4d0fa3e2f6c5f83a85dde80d2e76c4c3a4c2a

    SHA256

    2cd233229a9435cb1b62c60b696f3fe0cc1320db7a32760eb5c90760b452b20f

    SHA512

    a02551f0b309fe061f40d366c6a7c778abcd01757c93be5a2edb416d1b4cc42abc2c2d86d87cc55fbcc199876dd98acb2240fec7b21ff88358a6eccfa2806ca2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3835868.exe
    Filesize

    1.3MB

    MD5

    d12a0e04daceab1545e1e8c80fa3371e

    SHA1

    562b15ba7852efbfd005b38e678b8b5691e7c379

    SHA256

    dee46c10e2f544fa895018a1e6618395b8880db24fc09d4394be131e84a78092

    SHA512

    e0e3d85614cdf4d5b355a682c81141ed49c38e0f8b45946a5340453374036e26e6244e005555985d8447790f2a21c0ac2e936abe39aabc90b657ccd2355be130

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7387576.exe
    Filesize

    220KB

    MD5

    184e66554a67b0f56d8ecf58cf0b33db

    SHA1

    918bb3942c123d47c4617ae1105e4f1e77f5eea3

    SHA256

    b95a1d1bcbb131aaab708a8a3a008d8f811def68d18c38e91dda6357c9e413fb

    SHA512

    b29eb1901cf67ae0f66d9ee13045801ab088ca14357a036a3db35093c0a9488a5c57576bc579825aa6d790d277d93ab0a6feaa320bef157fd2ea942f1e8924d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6524421.exe
    Filesize

    185KB

    MD5

    12ba06d6decae4a437d33442070aa83b

    SHA1

    745a62e354bd089f89e178efc4d83cfd87624c01

    SHA256

    9f144d453db3b03dff17709047da8300cdec5b000cf7f610cb88971e69281bd7

    SHA512

    c5c45dcaad75afc9cff59afeb01eb600ab59dfdc7567e02524aa1432ee200c8e4b5cc83c816da0ac5e8f1c865c37bae8f52cacb905b8a25105190a157a573904

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8487911.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/1376-21-0x0000000000500000-0x000000000050A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1376-25-0x0000000000410000-0x0000000000425000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1428-36-0x0000000000630000-0x0000000000660000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1428-41-0x0000000004A20000-0x0000000004A26000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1428-42-0x000000000A6C0000-0x000000000ACD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1428-43-0x000000000A120000-0x000000000A22A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1428-44-0x000000000A260000-0x000000000A272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1428-45-0x000000000A280000-0x000000000A2BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1428-46-0x0000000004550000-0x000000000459C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4644-31-0x00000000009B0000-0x00000000009BA000-memory.dmp

    Filesize

    40KB

    Download