Overview

overview

10

Static

static

3

6063d6416f...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6063d6416f5d32fef626bef67d953880_NeikiAnalytics.exe

  • Size

    706KB

  • MD5

    6063d6416f5d32fef626bef67d953880

  • SHA1

    dfa3ec3089bf946de3670331787d36e6d4bf9d90

  • SHA256

    d9e8eb988cb030034b6748c52927764a8f251a4ed39c62639b0d9b30f35ca90b

  • SHA512

    86456e38cc6ff3ba70bd5140147cf63fce89d990c8b8cfcaeccca73ce391188feb274ab55c878ca080226b73d4f179871a13e317fd2df3394c70092da28b4542

  • SSDEEP

    12288:xr/y90QTV3zN0uER7O7RUENY3jlCx+O+JUPizryXMQ9:By5TV3zu8qBlQ+ZUPizmcQ9

Score
10/10
healerredlinenormdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.68.70:19073

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6063d6416f5d32fef626bef67d953880_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6063d6416f5d32fef626bef67d953880_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8882248.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8882248.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2489887.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2489887.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4883016.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4883016.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8547838.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8547838.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4844
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7120036.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7120036.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4196
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6578523.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6578523.exe
          4⤵
          • Executes dropped EXE
          PID:2328
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8882248.exe
    Filesize

    529KB

    MD5

    609e798c25afc35ea61beda17d97db52

    SHA1

    87ebd63ef3cde5bb1402edb84eac6aa05224e108

    SHA256

    3eb00ad8259cdcfe0cd6e8aa81162312027a9a4220ee2022ac3af92cf49f56bb

    SHA512

    6375295bcc114f5bd943ad84227c69de8c610b91bf6f5bfbf8b7e19e59b7469bd0300ca56cb1403ce6eaad3a53f59cd8be34f3a137083bad1eadc46492276dcc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2489887.exe
    Filesize

    405KB

    MD5

    75f0e9dfc4c5d3856bd1f9582b6787af

    SHA1

    de1c59d4d54e0c194cb2eaf4ca9e3064ac5b55c9

    SHA256

    8c369ea8762078104f0ed6c7edc449c4c4e58b32fbe0b9538cf540ddcbd09f52

    SHA512

    81739139ba6d7e0f218f2fddbf500ee03804d9dd1a5f930d3cb5a0fb1144fabee48fbbe27f0443dde77196f788a70999c2d4aa8baf51f879253044a945fcec9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6578523.exe
    Filesize

    266KB

    MD5

    b4ea1ca8aec2e8f0cd17fa5a6135c416

    SHA1

    e1af24824b7be9a4ebf8d208085e47cec78d983a

    SHA256

    27e99bec73fc58be6a10902c415273ad349eee401ae68e9f85cbd7cfb16697e9

    SHA512

    89622f24ef5fcdda9af9175dd17813fb40e8f2aa70052c566c5c3b034846cfab1d7217d5b124009332bd6bbc0786a2af2bd7bc5cc37c51b43630340830a1ef8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4883016.exe
    Filesize

    201KB

    MD5

    adcd00b059d17622a9cf6067604e81f0

    SHA1

    2db3d3eee9b17d89b09806635180691fb4c68054

    SHA256

    d733674c4736710fc07825705e22940e52c8587af8493f78b397ba99b0c1b813

    SHA512

    76b363b60d67d579879ae7e478477ed1eca4a4f79b650aaee1d4b912d98eb8814a69533e6394ce1f65087ef42de3a80049e5d078539a5cd35887dbed256a60c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8547838.exe
    Filesize

    104KB

    MD5

    876705a778615caf71bcf084f453fbc1

    SHA1

    7b85db33e41ce38862fe0a20d97ef955a4653eee

    SHA256

    f3888824a419fccce8b8c73328ad281a4e62c2a7fc70654ba2c2aa363e753134

    SHA512

    59b8790f13fe56090025f2ea4a279be51272558d546e4800d59df12e702224688e37fa7fc433c2377187800dfd343fc2e7a4c8e3c4a42e697c8a3156b06da242

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7120036.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/2328-49-0x0000000005150000-0x000000000525A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2328-42-0x0000000000450000-0x0000000000480000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2328-47-0x0000000004A60000-0x0000000004A66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2328-48-0x0000000004B30000-0x0000000005148000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2328-50-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2328-51-0x0000000005260000-0x000000000529C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2328-52-0x00000000052E0000-0x000000000532C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4196-37-0x0000000000210000-0x000000000021A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4844-28-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download