Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe
-
Size
730KB
-
MD5
062463e1ffe4cfd9712e423045b47d10
-
SHA1
e9b4d896aa5b7b5d353c5a168a40907d91b369d2
-
SHA256
6053f77fbc3437a24bced00d99fc4a31a3ef156c3435ad2ab0804365ef325e2f
-
SHA512
edf30f18ae3d41cbf8ae2d325b263e9dbcac0f88f01cddf2aeb111ee13f223dc6fde6d775942bb61a8a5f905a5acedbd4ad69b72b97a46bee6a5ebc89fc1ec5e
-
SSDEEP
12288:iGly90f38fld3mFxtNdCRC8NlCecJtoH1nQr+3qKhFX4B:FyLR8LzCRC8NlgoHK+d/Xa
Malware Config
Extracted
redline
furga
83.97.73.128:19071
-
auth_value
1b7af6db7a79a3475798fcf494818be7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3264-22-0x0000000000550000-0x0000000000580000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
x4922948.exex9350389.exef9323499.exepid process 4652 x4922948.exe 4088 x9350389.exe 3264 f9323499.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
x9350389.exe062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exex4922948.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x9350389.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4922948.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exex4922948.exex9350389.exedescription pid process target process PID 1804 wrote to memory of 4652 1804 062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe x4922948.exe PID 1804 wrote to memory of 4652 1804 062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe x4922948.exe PID 1804 wrote to memory of 4652 1804 062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe x4922948.exe PID 4652 wrote to memory of 4088 4652 x4922948.exe x9350389.exe PID 4652 wrote to memory of 4088 4652 x4922948.exe x9350389.exe PID 4652 wrote to memory of 4088 4652 x4922948.exe x9350389.exe PID 4088 wrote to memory of 3264 4088 x9350389.exe f9323499.exe PID 4088 wrote to memory of 3264 4088 x9350389.exe f9323499.exe PID 4088 wrote to memory of 3264 4088 x9350389.exe f9323499.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\062463e1ffe4cfd9712e423045b47d10_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4922948.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4922948.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350389.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350389.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9323499.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9323499.exe4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4922948.exeFilesize
466KB
MD5683807fdef25b9739ece7904545e73e5
SHA1f176e92fe53ff9e7ab42a080b19183ceaff197c5
SHA256e5f87e9065879a2d1f778d78cf55886abbc485038db5cb4d60055520d6139806
SHA512caad43b6397349dc33798e0298e45dc31a47fc8392a8920d88fa17bf7930e7ccccc831a783c180f7af24855203f1da28f3d18f9d0b50f928501804f317097a94
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9350389.exeFilesize
365KB
MD5fa08c44ddbd84b2062a8950d500596a4
SHA1cca5b669d8ccc966061b26c1dcf4e34f57ee1afe
SHA2562dd16a87536e2bc325804807b1a023e095e9b79b291d64e26cd2c527086df373
SHA512686391022840a492e4647f7f7de32e54f1ea2bcedc6046dab35b899c67078cf90436140972e71d4cb2af7d120c1d4380605d93a75d9b364aea150433d16d2b1d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9323499.exeFilesize
402KB
MD578ecb6e45f84bb181cfb5a4cd5882087
SHA146a0f62171c05a795e08a0a3f3e3736ed285ae99
SHA256876479e53dfd62bcae06a167e093c77035eb8fa8fa78636b987ccc441c0389de
SHA5125c53895257ef865fc6cde79b9cd15010927fc9eca1169b2536abcc374e772d06629b0b8a185c10ad64f452126cdfa9e162997a0a0ae6394c0d70d57c5e2fce9b
-
memory/3264-21-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/3264-22-0x0000000000550000-0x0000000000580000-memory.dmpFilesize
192KB
-
memory/3264-26-0x0000000004BC0000-0x0000000004BC6000-memory.dmpFilesize
24KB
-
memory/3264-27-0x000000000A5D0000-0x000000000ABE8000-memory.dmpFilesize
6.1MB
-
memory/3264-28-0x000000000A040000-0x000000000A14A000-memory.dmpFilesize
1.0MB
-
memory/3264-29-0x000000000A180000-0x000000000A192000-memory.dmpFilesize
72KB
-
memory/3264-30-0x000000000A1A0000-0x000000000A1DC000-memory.dmpFilesize
240KB
-
memory/3264-31-0x000000000A340000-0x000000000A38C000-memory.dmpFilesize
304KB