e395f00de9e0ad7b35bf4138c57c1132db4144ab8e2d4d0eb340c599ff9e0d24

Sharing

General

Target

e395f00de9e0ad7b35bf4138c57c1132db4144ab8e2d4d0eb340c599ff9e0d24
Size

347KB
MD5

55cdd4a858ab06d5e134bb042ac92499
SHA1

3f861c5a0173a73be60b350afc6f2383f5f21af3
SHA256

e395f00de9e0ad7b35bf4138c57c1132db4144ab8e2d4d0eb340c599ff9e0d24
SHA512

51fcf5b19196a5881a7c903f267d6434d719f4c6d90e8a79bc6e076822d709d7d1f7b81425699d02d184f33447d470f81147668e3d6521e1326934dc02ac2278
SSDEEP

3072:Sk/pOV/t8tCBLnIPzX3kWSkbT37jb4/3OO1i:jwV/GtAIPj3HRT/b4fOO1

Score

10^/10

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
e395f00de9e0ad7b35bf4138c57c1132db4144ab8e2d4d0eb340c599ff9e0d24

Files

e395f00de9e0ad7b35bf4138c57c1132db4144ab8e2d4d0eb340c599ff9e0d24
.exe windows:5 windows x64 arch:x64

251b0347927ee2f7cfacdb9eadca205f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetSystemWow64DirectoryA
LoadLibraryW
Sleep
SizeofResource
GetSystemDirectoryA
GetLastError
GetProcAddress
SetFileAttributesA
LockResource
GetModuleFileNameA
CloseHandle
LocalFileTimeToFileTime
WriteFile
WaitForSingleObject
OpenProcess
GetSystemDirectoryW
VirtualFreeEx
GetVersionExW
VirtualAllocEx
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
WriteProcessMemory
GetTempPathA
SetFileTime
GetModuleHandleW
GetCurrentProcess
SystemTimeToFileTime
LoadResource
FindResourceW
FreeResource
FreeLibrary
CreateFileA
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetTickCount

advapi32

RegCloseKey
AdjustTokenPrivileges
RegOpenKeyExA
LookupPrivilegeValueW
RegCreateKeyExA
RegSetValueExA
OpenProcessToken
RegQueryValueExA

shell32

ShellExecuteA
ShellExecuteW

msvcr90

_wcsicmp
_swprintf
_amsg_exit
__wgetmainargs
__C_specific_handler
_XcptFilter
_exit
_cexit
exit
__winitenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_commode
_fmode
_encode_pointer
__set_app_type
__crt_debugger_hook
?terminate@@YAXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
strrchr
fwrite
fopen
remove
_errno
malloc
free
sprintf
fclose
memset

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 329KB - Virtual size: 329KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

251b0347927ee2f7cfacdb9eadca205f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shell32

msvcr90

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 1024B - Virtual size: 6KB

.pdata Size: 1024B - Virtual size: 672B

.rsrc Size: 329KB - Virtual size: 329KB

.reloc Size: 512B - Virtual size: 72B

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 1024B - Virtual size: 6KB

.pdata
Size: 1024B - Virtual size: 672B

.rsrc
Size: 329KB - Virtual size: 329KB

.reloc
Size: 512B - Virtual size: 72B