Overview

overview

10

Static

static

3

628a7a19e3...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    628a7a19e38899e1036ddc0bdf373950_NeikiAnalytics.exe

  • Size

    706KB

  • MD5

    628a7a19e38899e1036ddc0bdf373950

  • SHA1

    fe5d1cf65413543d9772fef9fd716a18aa915bd6

  • SHA256

    35972fee98a4f38b67d5a87e951bf580a50ee6440bd0e902bb6db2a912cb2f61

  • SHA512

    ff189e553abdb451736a837aed4756ec2dc6fee3faee7425e42af6f344b0d110aa90df0258e31d88bf8e2d4e714db4ad99f34a9679dbfbe643d26d4ce30d912c

  • SSDEEP

    12288:nlgy90RtKuBQp78Lh0xO9xt3o1VJW7l8BSp6W7/QOXOMDRXOBJUs5Gu5ZFYo:GymhQ98LXxlQW+BenXfdXOBdhxYo

Score
10/10
healerredlinemuchadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mucha

C2

83.97.73.131:19071

Attributes
  • auth_value

    5d76e123341992ecf110010eb89456f0

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\628a7a19e38899e1036ddc0bdf373950_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\628a7a19e38899e1036ddc0bdf373950_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0170371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0170371.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4616307.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4616307.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9386990.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9386990.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6940729.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6940729.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1490158.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1490158.exe
        3⤵
        • Executes dropped EXE
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0170371.exe
    Filesize

    557KB

    MD5

    46b5b7c85abf260f97eddda6baf3de3c

    SHA1

    1c766db32e62de6a79454aeee8e3dd2e6b5b1746

    SHA256

    81ba9b9ba3789bb6170171170bfa7bca40a2ff48f5fb0d20a5617ccfb42649f0

    SHA512

    dbc0b4983ecd23dc694e3f8eac40a36e373218ad048a4d69ad833ce46bf8cb6402869b0c0f79148c8c0de8ee5f5b4012fd717e8090f13aea0dde5b09df6e5095

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1490158.exe
    Filesize

    1.3MB

    MD5

    3fc9c9464ca4d2a3c85480e8f0f23528

    SHA1

    d2d0169dd8390ee1fbc2072b93e914a303cf404d

    SHA256

    a9a01a19e7bda891a36b7c6a4505cdebf9a20dd514b103c9ccd57f210027d2ce

    SHA512

    d7b74668f9d8b349a33e49173bfd7426854a8676ad5181f108337260b5175bf155b362469a463dd0b601d4e44fd7ad68214747b175105c780ffcdaf783511390

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4616307.exe
    Filesize

    227KB

    MD5

    d76c1328823276625cb5edb5120e65a5

    SHA1

    4b899bf7c5111e0ead2a40bd398b42c49e854ca4

    SHA256

    24a6b7563c52a9e26ad77ee7d2eaa4f133ba62153792c7b85fdf9dc429197f1d

    SHA512

    0cde391b26199a96119389012ac56ecbfbd364a408cb59dbe7aec8af7b7efa45f8f634f4e4efa9542a86630c7bf11cb0f809abc410139926a033fdecde15c3d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9386990.exe
    Filesize

    176KB

    MD5

    211a06e9ae68ced1234252a48696431b

    SHA1

    69950e2ee2fafd177d1a295836713bfd8d18df9c

    SHA256

    0bdca9c84103454e329cfde4e69dc41a0ec0196c078c8fc195b0fa739d2f905d

    SHA512

    b1643ba376075619335b4bdf0d7610aece13b7c9db60eecb508465f97ef3e6a9d5297f9ac8529886efa052cdd8814ac7d4eeab44812f797a1b2dc5fa967ee7eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6940729.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/468-31-0x0000000000410000-0x000000000041A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1304-43-0x0000000009FE0000-0x000000000A0EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1304-36-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1304-41-0x00000000024D0000-0x00000000024D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1304-42-0x000000000A5A0000-0x000000000ABB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1304-44-0x000000000A120000-0x000000000A132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1304-45-0x000000000A140000-0x000000000A17C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1304-46-0x00000000023D0000-0x000000000241C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2576-22-0x0000000000580000-0x000000000058A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2576-21-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download