healer | 54eb80bbaf5b0a6d578a6f3b4416ff1b6ce876df518bb85f5931b79ddf144538

General

Target

956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Size

299KB
MD5

956bd517657fbc0ac22ad634235ff6b0
SHA1

d70f3cf2647776857bb6ca2ad50c2615c1096276
SHA256

54eb80bbaf5b0a6d578a6f3b4416ff1b6ce876df518bb85f5931b79ddf144538
SHA512

409ca331178231208322b88a22967a755682e841b0cdf4f055b8f31196e46f02889a857e4fa47598db5dd9e0ced3aa017f2e92687c2b02c2dfa81e9261e6f035
SSDEEP

6144:X8JFx8y2h+Gy1SPvPzOi+WsCRmOSCa03JdlYK7RV/QGrcJ5r4ofVIKkop3VVLgYp:MJz8hh+f1STIOaGdlYK7RV/QGrcJ5r4i

Score

10^/10

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral2/memory/828-4-0x0000000004C70000-0x0000000004C8A000-memory.dmp	healer
behavioral2/memory/828-6-0x0000000004E00000-0x0000000004E18000-memory.dmp	healer
behavioral2/memory/828-35-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-33-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-31-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-29-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-27-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-25-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-23-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-21-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-19-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-17-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-15-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-13-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-11-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-9-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer
behavioral2/memory/828-8-0x0000000004E00000-0x0000000004E12000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4468	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3976	828	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
828	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\956bd517657fbc0ac22ad634235ff6b0_NeikiAnalytics.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 948
  2⤵
  - Program crash
  PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 828 -ip 828
1⤵
PID:4712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/828-2-0x00000000047C0000-0x00000000047ED000-memory.dmp

Filesize
180KB

Download
memory/828-1-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

Filesize
1024KB

Download
memory/828-4-0x0000000004C70000-0x0000000004C8A000-memory.dmp

Filesize
104KB

Download
memory/828-5-0x0000000007330000-0x00000000078D4000-memory.dmp

Filesize
5.6MB

Download
memory/828-6-0x0000000004E00000-0x0000000004E18000-memory.dmp

Filesize
96KB

Download
memory/828-7-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/828-35-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-33-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-31-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-29-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-27-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-25-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-23-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-21-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-19-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-17-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-15-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-13-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-11-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-9-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-8-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/828-37-0x0000000000400000-0x0000000002BB4000-memory.dmp

Filesize
39.7MB

Download
memory/828-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads