healer | 27fe8df8c4c335822ad9aad0aaeb78f9ceec837124ee950f74cd1c6ca115b9f1

General

Target

1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Size

269KB
MD5

1f94fb52742958588c3032e29496d0c0
SHA1

282b54a0c7c465713aab1e316e01a239d7baf3c7
SHA256

27fe8df8c4c335822ad9aad0aaeb78f9ceec837124ee950f74cd1c6ca115b9f1
SHA512

b121f04fcb7d835ab436836155ab46ac7624326e23ba6eb6f2ecc7b0a7c2bd982545daad4a9a4d94ae2bb9293968d6706f379c379d23e70d337d9eb94c6e572d
SSDEEP

3072:qusW2zNnkvs6LpttjzHcHg6QxfLYyqshilCecIIYgPczDkP33G5VIhGF:qNnkU6bCv6fdXhilCtI+PeeniIM

Score

10^/10

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2732-4-0x0000000004600000-0x000000000461A000-memory.dmp	healer
behavioral1/memory/2732-5-0x0000000004620000-0x0000000004638000-memory.dmp	healer
behavioral1/memory/2732-34-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-32-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-30-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-28-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-26-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-24-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-22-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-20-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-18-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-16-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-14-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-12-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-10-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-8-0x0000000004620000-0x0000000004632000-memory.dmp	healer
behavioral1/memory/2732-7-0x0000000004620000-0x0000000004632000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
2732	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f94fb52742958588c3032e29496d0c0_NeikiAnalytics.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-1-0x0000000002C40000-0x0000000002D40000-memory.dmp

Filesize
1024KB

Download
memory/2732-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2732-2-0x00000000002C0000-0x00000000002ED000-memory.dmp

Filesize
180KB

Download
memory/2732-4-0x0000000004600000-0x000000000461A000-memory.dmp

Filesize
104KB

Download
memory/2732-5-0x0000000004620000-0x0000000004638000-memory.dmp

Filesize
96KB

Download
memory/2732-6-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/2732-34-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-32-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-30-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-28-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-26-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-24-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-22-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-20-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-18-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-16-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-14-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-12-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-10-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-8-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-7-0x0000000004620000-0x0000000004632000-memory.dmp

Filesize
72KB

Download
memory/2732-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2732-36-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads