Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 16:21
Static task
static1
Behavioral task
behavioral1
Sample
02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
aa3fac99fe10b1913607e8642620e5e0
-
SHA1
e807e8de797197cb1a108db0a27e6f5b076fe826
-
SHA256
02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c
-
SHA512
6fe759e878bf0dd8b3a6fc92cc7020b2ffece699a917a199ecaf9969426d6722b6742a3dd2135c499400df7644950958d7a676ec028d9bb593248ce59d28b555
-
SSDEEP
24576:MyfH1Hr7FJB1v40MJFLRMhYQdE+jLb6127tK22kOCmKFPG1c/V:7JnFaZJv4Pljd5KOOCXPw
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4228-21-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/4228-22-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/4228-24-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exe family_redline behavioral1/memory/4468-28-0x0000000000730000-0x000000000076E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
uZ5wN5rd.exeEB9OH1GN.exe1Yh76Tc6.exe2Ez461hM.exepid process 4680 uZ5wN5rd.exe 384 EB9OH1GN.exe 3788 1Yh76Tc6.exe 4468 2Ez461hM.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exeuZ5wN5rd.exeEB9OH1GN.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" uZ5wN5rd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" EB9OH1GN.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1Yh76Tc6.exedescription pid process target process PID 3788 set thread context of 4228 3788 1Yh76Tc6.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 788 3788 WerFault.exe 1Yh76Tc6.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exeuZ5wN5rd.exeEB9OH1GN.exe1Yh76Tc6.exedescription pid process target process PID 4564 wrote to memory of 4680 4564 02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe uZ5wN5rd.exe PID 4564 wrote to memory of 4680 4564 02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe uZ5wN5rd.exe PID 4564 wrote to memory of 4680 4564 02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe uZ5wN5rd.exe PID 4680 wrote to memory of 384 4680 uZ5wN5rd.exe EB9OH1GN.exe PID 4680 wrote to memory of 384 4680 uZ5wN5rd.exe EB9OH1GN.exe PID 4680 wrote to memory of 384 4680 uZ5wN5rd.exe EB9OH1GN.exe PID 384 wrote to memory of 3788 384 EB9OH1GN.exe 1Yh76Tc6.exe PID 384 wrote to memory of 3788 384 EB9OH1GN.exe 1Yh76Tc6.exe PID 384 wrote to memory of 3788 384 EB9OH1GN.exe 1Yh76Tc6.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 3788 wrote to memory of 4228 3788 1Yh76Tc6.exe AppLaunch.exe PID 384 wrote to memory of 4468 384 EB9OH1GN.exe 2Ez461hM.exe PID 384 wrote to memory of 4468 384 EB9OH1GN.exe 2Ez461hM.exe PID 384 wrote to memory of 4468 384 EB9OH1GN.exe 2Ez461hM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZ5wN5rd.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZ5wN5rd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9OH1GN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9OH1GN.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yh76Tc6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yh76Tc6.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 5765⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3788 -ip 37881⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1444,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=1064 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZ5wN5rd.exeFilesize
821KB
MD563da7aef270377f0bbcf1df9ab46ce7f
SHA177be71e53577278d85fa9372901976396ce45af4
SHA256527f79a183950464a38f56fc0b64e02a8adb0c62d720d55f4526e9cef993b21d
SHA51264f6a6a46b3b5123698a3a36af0232df929125bba6101dbbf022879bda2625cbd51647ef9cdd691ceae8b334926ddc218ea89cbc9e657f7bd850fa28ac45bd12
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9OH1GN.exeFilesize
649KB
MD5994f4d02b89a901b914132c7a495a752
SHA17b28b6bf88d3581c56ca61554b2ba2c0576735a9
SHA2564d201d0845980d1ca8faf591f0045f2f08782ba67539fdd1cfca3f6a5df86af5
SHA51261f85b39c7625e97d532625f3025d731129647e0b69cc7921597c2653781affbea28d957b176f6431e5e986bf38bbe6ff0fe34d1e61293ea1a6cc43deda3c56e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yh76Tc6.exeFilesize
1.7MB
MD5144dc3c0a5275a93ff86f00b5c61b9ec
SHA1784168ab3c4711737656ca13dc4cb59ca267fa45
SHA256179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787
SHA5129af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exeFilesize
230KB
MD5b4fcf4a35a3b751216060844fa10979e
SHA1819e03996383b1150b31ed8570b789f4402faa94
SHA2566a67aefd1dbe396b3b443899fcc3511b59ecfb4b8adfea72eed23f15d0426876
SHA5121f204d032cd68930f8d5fc0de9d9af43097b4aabb97fc604e77790b2d264eca34a26cd3a02922e1092bb4ff69ea7b52deb05be9dfe211c32e0cfb8a0690f5fdb
-
memory/4228-21-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4228-22-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4228-24-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4468-29-0x0000000007A90000-0x0000000008034000-memory.dmpFilesize
5.6MB
-
memory/4468-28-0x0000000000730000-0x000000000076E000-memory.dmpFilesize
248KB
-
memory/4468-30-0x00000000074E0000-0x0000000007572000-memory.dmpFilesize
584KB
-
memory/4468-31-0x0000000000E50000-0x0000000000E5A000-memory.dmpFilesize
40KB
-
memory/4468-32-0x0000000008660000-0x0000000008C78000-memory.dmpFilesize
6.1MB
-
memory/4468-33-0x0000000007860000-0x000000000796A000-memory.dmpFilesize
1.0MB
-
memory/4468-34-0x00000000076E0000-0x00000000076F2000-memory.dmpFilesize
72KB
-
memory/4468-35-0x0000000007750000-0x000000000778C000-memory.dmpFilesize
240KB
-
memory/4468-36-0x0000000007790000-0x00000000077DC000-memory.dmpFilesize
304KB