Overview

overview

10

Static

static

3

1da52a515f...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1da52a515fcdb048ad76d7864464cfb0_NeikiAnalytics.exe

  • Size

    1.3MB

  • MD5

    1da52a515fcdb048ad76d7864464cfb0

  • SHA1

    e473f6794205d1deb62b752a3fc6ab1ee2b117ae

  • SHA256

    aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6

  • SHA512

    a2b3123a6f2693a9d5ebff9c23949cdd342ddf34e534c88a99e5e178cbb35d2e20e7dc79d61b2ededbde0a65bb04f06a4ef363842d60e06f05b8b2b92f581d40

  • SSDEEP

    24576:HyDpyG2BdeCmEa6MW0uUCfd5J45NAxLzlN/8C5Z23cHYKWKMxHbE1X9lr4:SmYCfMWDUskNoXM534YqMuB

Score
10/10
healermysticredlinesmokeloadertrushbackdoordropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1da52a515fcdb048ad76d7864464cfb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1da52a515fcdb048ad76d7864464cfb0_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:4204
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 556
                6⤵
                • Program crash
                PID:1644
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
              • Checks SCSI registry key(s)
              PID:2216
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 136
              5⤵
              • Program crash
              PID:3496
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3200
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:808
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 148
              4⤵
              • Program crash
              PID:3412
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe
          2⤵
          • Executes dropped EXE
          PID:1976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2164 -ip 2164
        1⤵
          PID:4620
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1624 -ip 1624
          1⤵
            PID:1384
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3200 -ip 3200
            1⤵
              PID:2852

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe
              Filesize

              17KB

              MD5

              de9367f72e48f43edc2f1979ace7a2bc

              SHA1

              5219e61d941a421315e32eabc7ac9c3944f80181

              SHA256

              c7b26d2ebb210eca38eed90eefe474b254f53dca6496fd044a87ccfe7bbe6c86

              SHA512

              7a3d286cae4bb3816dd1af0bb46ea6591568c28ca8cee0eb5aeb1caafb6886476183159041d367201077d8ab2d22be827af5e95ca39eedb457e01ba9be4c768e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe
              Filesize

              1.2MB

              MD5

              eb4f12e3eb5a61a3cc43c606b04e85fb

              SHA1

              2955eac7466e41dfb9d70ccb708eab600b1b2d9a

              SHA256

              be58893697215a2384e1b6d915971e46a6506757718ff8d92be24e4c043f119e

              SHA512

              82ee482088c38ca825ce89a41a10fa17be3664a8856f2897a7588a4d2e69030b19bc7003062599158c988d890308688dd2ed82a41b70aafaf51a67f17b2146c8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe
              Filesize

              1.0MB

              MD5

              1b30e2b46651a132dce68651e98312de

              SHA1

              f98fe544db67756111c5f49dfce5ee748a933c61

              SHA256

              1374fb694ed022d7cc221b2bdab447cb28368914ad2e0715c663de26001fe541

              SHA512

              bba3099f9d12ba4f1e5c2513bb2cbb918b170e678f536ad21f6e8e7f127cc35082a2394957d4d3c7311a80b56c59c3c0ee1db158fac4f79e1f60bd5bb84b3ffb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe
              Filesize

              835KB

              MD5

              77da02fd3836daf3a716b5f15188c8a6

              SHA1

              644abdb953e857a803ad5d7edc9a2f25949cac92

              SHA256

              01888d19433a22cf8d9fb00c2617568e9423878c9a189e2f8fc8ea51b70a90ab

              SHA512

              ae9a1a729178db70ea86ae355f0be777d94f7390473aad2fd5afc4971fbc7198e5a76391b6f406861648c29654855195134bcfdc67f593ef7e372b81def622e1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe
              Filesize

              884KB

              MD5

              f9ebf61a1a4bfd8251d830ce1959b4a3

              SHA1

              b13e8f00d0438f8304c6c1da3549977e0803287e

              SHA256

              20a34a5b3ea0182f831dbc7b48ea03223daeb2afdd3540fcaef6cca6fe2972b9

              SHA512

              00c336e2de833be8d227994644cd2cbcf665d7f36aa93de0647ddc67bb5a80098aadc902ac71d0953dccae2bfb109ec1a6e0d581949833a9346331a3ed732db8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe
              Filesize

              475KB

              MD5

              8414aa5388c54ecc9045c0fc78b7b3bd

              SHA1

              8ca702c68c1b6dd02e8f4759e13e102e91ea23eb

              SHA256

              8bbd0f18ff7becb8601892364ac8a96951b915493898de58e5e9b43c906c814a

              SHA512

              6469e5953798db16ac294588b0febc10af3af74c2fadd006cf6920cc993a6bec77cb91e416f551598671fedf13587550f33600342e18dafa56e838aaa60cbc2c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe
              Filesize

              11KB

              MD5

              40366aa5d4e7524ca65f8188a6c13b2e

              SHA1

              b5d52afb53bb31d7aea23bd1c89b98820ab8e329

              SHA256

              f34d4e4cb5012c143d25055a9b7a899ddbfbd5e88c6fb3979bb382a3f5b1b69b

              SHA512

              7bffbd6f30f4b0b15cd4e27152e6ec46ad3efc25e3b47318d3e893f6ec7f2336107e03d091660c660e79844e5b49d804b993093b7bd09c726a21d4ff37c977a3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe
              Filesize

              1.0MB

              MD5

              fc4c90f9a7556f7f9d380000559aa293

              SHA1

              c558b17befdd5747afe5552ff0676f15299efe44

              SHA256

              5d2f8086eaf672566d2b7950b0681773ba7568b742e4d6c05657af9192b103ac

              SHA512

              f4f9ef3694fef80e5702d1a97b8bd6d335c6042998ad51267c67a13b40901613001971d9b0379e0ae8da7f47808db7ca7d617d04979b0d9cd551383c5f6f8082

              Download Submit

            • memory/808-49-0x0000000005960000-0x0000000005F78000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/808-44-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/808-45-0x0000000002C80000-0x0000000002C86000-memory.dmp

              Filesize

              24KB

              Download

            • memory/808-50-0x0000000005450000-0x000000000555A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/808-51-0x0000000005210000-0x0000000005222000-memory.dmp

              Filesize

              72KB

              Download

            • memory/808-52-0x0000000005380000-0x00000000053BC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/808-53-0x00000000053C0000-0x000000000540C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2168-28-0x00000000008B0000-0x00000000008BA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2216-40-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4204-34-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/4204-36-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download

            • memory/4204-33-0x0000000000400000-0x000000000042F000-memory.dmp

              Filesize

              188KB

              Download