Overview

overview

10

Static

static

3

0cee8ba7eb...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cee8ba7ebe22f9e45da5b130fd57210_NeikiAnalytics.exe

  • Size

    568KB

  • MD5

    0cee8ba7ebe22f9e45da5b130fd57210

  • SHA1

    11351194dcd814daf82f5ea98cc362e715269998

  • SHA256

    2098d3a237e922ea2dabca27bb086df0422c045eaf30e605be9524cc2ceb8101

  • SHA512

    3097c35ab6a0228d94f602f4ee65ee2b30c8ec6e04e7b1ea7aa200eb8549d23e8ce2df6c938bf46be43a5d7daf58da908822c9ed8ab3f51a910a1d7e86e2a01d

  • SSDEEP

    12288:fy908ASadIwc0uwikZOTeP8FmhXmNQ8v5efKzMXwxmyRs:fyaRdIwBuxkPfXmifKqwxzs

Score
10/10
healerredlinedropperevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cee8ba7ebe22f9e45da5b130fd57210_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0cee8ba7ebe22f9e45da5b130fd57210_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibu2400.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibu2400.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it332222.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it332222.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4304
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr402871.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr402871.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibu2400.exe
    Filesize

    414KB

    MD5

    7490ecaa9683efcffe328569b65893d5

    SHA1

    0c14133a6ddea0466becc88a12bbdc7a46cd8f0c

    SHA256

    6a11bc68178776c7677bf458ef7cf339a8deda96dff9c2b2add8b56f626ff3c0

    SHA512

    db9ce79333e8743048e1ed167bd9e4622439350a0371941e03ded2ab5af9048c18a8deeadda5a729b2b492484926e27bf87a1ab6c74fdbe3b8248a82b1df67c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it332222.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr402871.exe
    Filesize

    359KB

    MD5

    0e4772a83c880e93e07b0fc0f63d2599

    SHA1

    1ec4b130806580e95d151392c08b92e09c7f94e0

    SHA256

    336c0234af56f0178a5618f3efd74f4b77e25450db688c8da60409df2ff57765

    SHA512

    dc87177866af60978d1ad49b4ea04079cd503c8db05d80d8ca503955906bdd64234ca6c456ed22a7edb2e2f575c1f080add1e8306e8a06d0424543c9de3ca5bb

    Download Submit

  • memory/1244-69-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-22-0x00000000073C0000-0x0000000007964000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1244-21-0x0000000004A10000-0x0000000004A4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1244-65-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-23-0x0000000007200000-0x000000000723A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1244-29-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-35-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-87-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-85-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-81-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-79-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-77-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-819-0x000000000A480000-0x000000000A4BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1244-818-0x000000000A370000-0x000000000A47A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1244-817-0x000000000A350000-0x000000000A362000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1244-63-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-75-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-73-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-71-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-24-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-25-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-820-0x0000000004B70000-0x0000000004BBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1244-816-0x0000000009CF0000-0x000000000A308000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1244-61-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-59-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-57-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-55-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-53-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-51-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-49-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-47-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-45-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-41-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-39-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-37-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-33-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-31-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-83-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-67-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-43-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1244-27-0x0000000007200000-0x0000000007235000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4304-14-0x0000000000640000-0x000000000064A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4304-15-0x00007FFE30CA3000-0x00007FFE30CA5000-memory.dmp

    Filesize

    8KB

    Download