Overview

overview

10

Static

static

3

109fb1344c...cs.exe

windows7-x64

10

109fb1344c...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 22:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    109fb1344c7ea711623f0e1dc4641460_NeikiAnalytics.exe

  • Size

    299KB

  • MD5

    109fb1344c7ea711623f0e1dc4641460

  • SHA1

    769475366a953e6d1c1da34a88e32f560470ff05

  • SHA256

    eb418a9a959d700086b5b8eb7d64a6f6d039afa1855ea7d9bc8f190b67d7e460

  • SHA512

    ca57cc15e4eee65fa469406cd871a44572fac7a835d715dd73557f39c58286812b65dd0e82ad05dee725b3950845fc61800486f92b35c1b2d2cbb5ae7a68acbc

  • SSDEEP

    6144:P8JFx8y2h+Gy1SPvPzOi+WsCRmOSCa03JdlYK7RV/QGrcJ5r4ofVIKkop3VVLgYp:0Jz8hh+f1STIOaGdlYK7RV/QGrcJ5r4i

Score
10/10
healerdropperevasiontrojan

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\109fb1344c7ea711623f0e1dc4641460_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\109fb1344c7ea711623f0e1dc4641460_NeikiAnalytics.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 880
      2⤵
      • Program crash
      PID:2808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4776 -ip 4776
    1⤵
      PID:2104

    Network

    • flag-us
      DNS
      22.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-be
      GET
      https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      88.221.83.208:443
      Request
      GET /th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1463
      date: Thu, 09 May 2024 22:27:51 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.cc53dd58.1715293671.29d528d
    • flag-us
      DNS
      208.83.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.83.221.88.in-addr.arpa
      IN PTR
      Response
      208.83.221.88.in-addr.arpa
      IN PTR
      a88-221-83-208deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      35.15.31.184.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      35.15.31.184.in-addr.arpa
      IN PTR
      Response
      35.15.31.184.in-addr.arpa
      IN PTR
      a184-31-15-35deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 88.221.83.208:443
      https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.5kB
       6.7kB
       17
      12

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 8.8.8.8:53
      22.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      22.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      208.83.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      208.83.221.88.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      35.15.31.184.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      35.15.31.184.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4776-2-0x0000000002C40000-0x0000000002C6D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4776-3-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4776-1-0x0000000002E80000-0x0000000002F80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4776-4-0x0000000004900000-0x000000000491A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4776-5-0x00000000072F0000-0x0000000007894000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4776-6-0x0000000004BD0000-0x0000000004BE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4776-7-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-34-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-33-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-30-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-29-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-26-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-25-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-23-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-20-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-18-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-16-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-14-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-12-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-10-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-8-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4776-35-0x0000000000400000-0x0000000002BB4000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/4776-39-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4776-40-0x0000000000400000-0x0000000002BB4000-memory.dmp

      Filesize

      39.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.