Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe
-
Size
410KB
-
MD5
99c1e668a3a66c8f50bb8a82732dc0e0
-
SHA1
9fe1828397dc620a230489f8ae2b6777702ee445
-
SHA256
cbf8f2acc34ea14921d1eea9ace5d4210dd2dcefd88b6fafae703f534b0c754c
-
SHA512
597b19a2092152f2f080a173f14a9268492eb687000e16ee6cd27cdbf24f07856133a0f6c5c96ed1251a6079c7b4d3534030ae41ad696a833e8ea1099e2ebe10
-
SSDEEP
6144:TSp0yN90QE7e3WMGsXtK5mejEpm4uIXI9OtSQ6jAvCGswLvQ9ly6p2:vy90wGjsX+m0EXuMVCGswjSw/
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/744-8-0x00000000024A0000-0x00000000024BA000-memory.dmp healer behavioral1/memory/744-11-0x0000000002670000-0x0000000002688000-memory.dmp healer behavioral1/memory/744-28-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-40-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-38-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-36-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-34-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-32-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-30-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-18-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-16-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-14-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-13-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-26-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-24-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-22-0x0000000002670000-0x0000000002683000-memory.dmp healer behavioral1/memory/744-20-0x0000000002670000-0x0000000002683000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 237727250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 237727250.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 237727250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 237727250.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 237727250.exe -
Executes dropped EXE 2 IoCs
pid Process 744 122546449.exe 3852 237727250.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 122546449.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 237727250.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 122546449.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4980 3852 WerFault.exe 98 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 744 122546449.exe 744 122546449.exe 3852 237727250.exe 3852 237727250.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 744 122546449.exe Token: SeDebugPrivilege 3852 237727250.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3564 wrote to memory of 744 3564 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe 85 PID 3564 wrote to memory of 744 3564 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe 85 PID 3564 wrote to memory of 744 3564 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe 85 PID 3564 wrote to memory of 3852 3564 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe 98 PID 3564 wrote to memory of 3852 3564 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe 98 PID 3564 wrote to memory of 3852 3564 99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\99c1e668a3a66c8f50bb8a82732dc0e0_NEIKI.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\122546449.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\122546449.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\237727250.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\237727250.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 10763⤵
- Program crash
PID:4980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3852 -ip 38521⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
263KB
MD5633cf81cffb453329374d6629d50e149
SHA139395eb9884146a608e654b6c40159e57d0a7504
SHA256ae50b2a4e2701b1ff5c7616d1183cfbd5444e0e8c37ef77fe85e9ba702e948fa
SHA512458be077270a50326e758044a541064b64de5c4c7642728e0ea82dde86f427af917858acac21dcb8f06daeb4f333d005969606d7e009ca74600e33b5077a45db