3630f2f560652887feb9e869947d27bc606e20b3d3b5e2cd10c43be388d8ee26

Sharing

General

Target

3630f2f560652887feb9e869947d27bc606e20b3d3b5e2cd10c43be388d8ee26
Size

4.8MB
MD5

80938d4e59c911f6585d5e4f5ad1ef00
SHA1

5295d684a682f33f1c88e6c52ecbe8cc8aae4726
SHA256

3630f2f560652887feb9e869947d27bc606e20b3d3b5e2cd10c43be388d8ee26
SHA512

44df07c787144c6322eba41a58205babb0302ae06edc01e75b4cbcedc45425df1f5e89a8441c4260efa26e474913a59e8640ed7f06a4fefc1dcd1bed016f4967
SSDEEP

98304:pLjYuOVbUNRtNffF5ldkCX47NrtwYZbKKaUcflzfhgXLM7rEchU2:pXk43tNffF5ri9KAizqw7r5

Score

10^/10

Malware Config

Signatures

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3630f2f560652887feb9e869947d27bc606e20b3d3b5e2cd10c43be388d8ee26

Files

3630f2f560652887feb9e869947d27bc606e20b3d3b5e2cd10c43be388d8ee26
.exe windows:5 windows x86 arch:x86

13e07ffd4232bc571310b0d1742aea9e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\gitlab\builds\yyT_Ky8z\0\marshal\cloudinputsetup\Release\Setup.pdb

Imports

ws2_32

ioctlsocket
WSAGetLastError
sendto
recvfrom
listen
accept
freeaddrinfo
getaddrinfo
WSACleanup
WSAStartup
WSAIoctl
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
closesocket
bind
send
recv
WSASetLastError
select
__WSAFDIsSet
socket
getservbyname
gethostbyname
gethostname
htonl
shutdown

wldap32

ord133
ord79
ord147
ord167
ord127
ord27
ord26
ord118
ord41
ord208
ord216
ord14
ord46
ord219
ord145
ord301
ord142

crypt32

CertOpenStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertFindCertificateInStore
CertCloseStore
CertEnumCertificatesInStore

kernel32

CreateProcessW
Process32FirstW
Process32NextW
OpenProcess
WTSGetActiveConsoleSessionId
TerminateProcess
GetCurrentProcessId
GetDriveTypeW
DeviceIoControl
GetVolumeInformationW
WritePrivateProfileStringW
GetFileAttributesW
GetSystemDirectoryW
SetFilePointerEx
FormatMessageW
SetLastError
FormatMessageA
InitializeCriticalSection
GetFileAttributesA
SleepEx
VerSetConditionMask
QueryPerformanceFrequency
VerifyVersionInfoW
QueryPerformanceCounter
ExpandEnvironmentStringsA
WaitForMultipleObjects
GetStdHandle
PeekNamedPipe
FlushConsoleInputBuffer
GetCurrentThread
GetThreadTimes
GetSystemTime
GlobalMemoryStatus
LoadLibraryA
IsDebuggerPresent
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetLocalTime
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
RemoveDirectoryW
GetThreadPriority
SetThreadPriority
FindClose
SignalObjectAndWait
CreateTimerQueue
GetUserDefaultLCID
GetPrivateProfileStringA
GetPrivateProfileIntA
InterlockedCompareExchange
InterlockedExchange
GetSystemDirectoryA
GetCommandLineW
GetModuleFileNameA
GetLongPathNameA
GetStartupInfoW
SetEvent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetEndOfFile
GetFullPathNameW
GetFileAttributesExW
GetCPInfo
GetLocaleInfoW
LCMapStringW
CompareStringW
EncodePointer
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
CreateEventW
GetStringTypeW
TryEnterCriticalSection
GetExitCodeThread
SwitchToThread
WaitForSingleObjectEx
CopyFileW
GetLogicalProcessorInformation
GlobalUnlock
GlobalLock
GlobalAlloc
FindNextFileW
FindFirstFileW
GetExitCodeProcess
CreateToolhelp32Snapshot
LocalAlloc
LocalFree
MulDiv
GetFileSize
CreateThread
DosDateTimeToFileTime
GetFileType
SystemTimeToFileTime
DuplicateHandle
GetCurrentProcess
ExitProcess
InterlockedDecrement
InterlockedIncrement
GetTickCount
GetCurrentDirectoryW
GetACP
GetVersionExW
CreateFileA
SetFileAttributesW
SetFilePointer
SetFileTime
GetFileSizeEx
ReadFile
CreateDirectoryW
DeleteCriticalSection
DecodePointer
RaiseException
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
OutputDebugStringA
EnterCriticalSection
OpenMutexW
CreateMutexW
WideCharToMultiByte
MultiByteToWideChar
GetWindowsDirectoryW
ExpandEnvironmentStringsW
CallNamedPipeA
GetDiskFreeSpaceExW
GetModuleHandleW
WaitForSingleObject
DeleteFileW
GetProcAddress
GetLongPathNameW
MoveFileExW
Sleep
OutputDebugStringW
FindResourceExW
LockResource
FreeResource
CloseHandle
SizeofResource
WriteFile
CreateFileW
LoadResource
FindResourceW
GetModuleFileNameW
FreeLibrary
LoadLibraryW
GetLastError
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
HeapDestroy
GetCurrentThreadId
FreeLibraryAndExitThread
GetModuleHandleA
LoadLibraryExW
VirtualAlloc
VirtualProtect
VirtualFree
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
RtlUnwind
GetCommandLineA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ExitThread
GetModuleHandleExW
SetConsoleCtrlHandler
GetConsoleMode
ReadConsoleInputA
SetConsoleMode
ReadConsoleW
GetConsoleCP
IsValidLocale
EnumSystemLocalesW
GetTimeZoneInformation
SetStdHandle
FlushFileBuffers
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
WriteConsoleW
GetNumaHighestNodeNumber

user32

GetWindowThreadProcessId
FindWindowExW
FindWindowW
DestroyIcon
DrawIconEx
GetWindowTextW
GetWindowTextLengthW
SetWindowTextW
GetGUIThreadInfo
CreateAcceleratorTableW
InvalidateRgn
GetCaretBlinkTime
GetSysColor
ClientToScreen
SetCaretPos
GetCaretPos
HideCaret
ShowCaret
CreateCaret
CharPrevW
SetRect
DrawTextW
FillRect
GetWindowRgn
MoveWindow
MessageBoxW
SetWindowRgn
IsZoomed
CharNextW
ReleaseCapture
ExitWindowsEx
GetKeyboardLayoutList
ActivateKeyboardLayout
GetClientRect
SetWindowPos
KillTimer
PostQuitMessage
SetTimer
SetCursor
GetMessageW
GetCursorPos
WindowFromPoint
GetClassNameW
TranslateMessage
DispatchMessageW
wsprintfW
OffsetRect
DefWindowProcW
CreateWindowExW
SetWindowLongW
IsWindow
ShowWindow
GetWindow
EnableWindow
SetFocus
GetWindowRect
GetParent
GetMonitorInfoW
MonitorFromWindow
IsIconic
LoadImageW
GetSystemMetrics
RegisterClassW
GetClassInfoExW
SetCapture
InvalidateRect
GetFocus
PtInRect
MapWindowPoints
IntersectRect
IsWindowVisible
GetUpdateRect
IsRectEmpty
EndPaint
BeginPaint
GetActiveWindow
ScreenToClient
GetDC
GetProcessWindowStation
GetUserObjectInformationW
RegisterClassExW
GetWindowLongW
CallWindowProcW
UnionRect
wvsprintfW
SetPropW
GetPropW
PostMessageW
GetKeyState
DestroyWindow
LoadCursorW
MessageBeep
SendMessageW
ReleaseDC

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptReleaseContext
RegEnumKeyExW
RegDeleteKeyW
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
InitializeSecurityDescriptor
OpenSCManagerW
OpenServiceW
CloseServiceHandle
ControlService
DeleteService
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
CreateProcessAsUserW
DuplicateTokenEx
QueryServiceStatusEx

ole32

CoSetProxyBlanket
CoTaskMemFree
CoInitialize
OleLockRunning
CoUninitialize
CLSIDFromString
CLSIDFromProgID
CoCreateInstance
CreateStreamOnHGlobal
CoCreateGuid
CoInitializeEx
CoInitializeSecurity

shell32

SHGetFileInfoW
SHGetFolderPathW
SHChangeNotify
ShellExecuteW
CommandLineToArgvW
SHGetFolderPathA
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
ShellExecuteExW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation

oleaut32

VariantClear
VariantInit
SysAllocString
SysFreeString

shlwapi

PathRemoveFileSpecW
PathAppendW
PathAddBackslashW
PathRemoveFileSpecA
PathFileExistsW
PathAddBackslashA
PathFileExistsA
PathIsDirectoryW

gdi32

GetStockObject
GetObjectW
SelectObject
SaveDC
BitBlt
RestoreDC
Rectangle
SetWindowOrgEx
GetTextMetricsW
CreateRoundRectRgn
CreateDIBSection
CreateRectRgn
PtInRegion
SelectClipRgn
CreateFontIndirectW
CreateRectRgnIndirect
ExtSelectClipRgn
CombineRgn
StretchBlt
SetStretchBltMode
SetBkColor
ExtTextOutW
CreateSolidBrush
CreatePenIndirect
MoveToEx
LineTo
RoundRect
SetBkMode
SetTextColor
GetCharABCWidthsW
GetTextExtentPoint32W
TextOutW
GdiFlush
GetDeviceCaps
GetObjectA
CreatePatternBrush
CreatePolygonRgn
CreatePen
DeleteObject
CreateCompatibleDC
CreateCompatibleBitmap
GetClipBox
DeleteDC

gdiplus

GdiplusShutdown
GdipRotateWorldTransform
GdipTranslateWorldTransform
GdipLoadImageFromStream
GdipImageSelectActiveFrame
GdipGetImageHeight
GdipGetImageWidth
GdipGetPropertyItem
GdipGetPropertyItemSize
GdipImageGetFrameCount
GdipImageGetFrameDimensionsList
GdipImageGetFrameDimensionsCount
GdipDrawImage
GdipGraphicsClear
GdipDrawImageRectI
GdipDrawString
GdipGetFamily
GdipDeleteFontFamily
GdipSetPixelOffsetMode
GdipSetInterpolationMode
GdipSetCompositingQuality
GdipSetSmoothingMode
GdipGetImageGraphicsContext
GdipDisposeImage
GdipCloneImage
GdipCreateBitmapFromScan0
GdipAlloc
GdipFree
GdipDeleteBrush
GdipCreateLineBrushI
GdipSetStringFormatAlign
GdipSetStringFormatLineAlign
GdipDeleteStringFormat
GdipCreateStringFormat
GdipSetTextRenderingHint
GdipDeleteGraphics
GdipCreateFromHDC
GdipDeleteFont
GdipCreateFontFromLogfontA
GdipCreateFontFromDC
GdiplusStartup

imm32

ImmGetContext
ImmSetCompositionWindow
ImmSetCompositionFontW
ImmReleaseContext
ImmGetDescriptionW

comctl32

_TrackMouseEvent
ord17

iphlpapi

GetAdaptersInfo

psapi

GetModuleFileNameExW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSQueryUserToken

version

GetFileVersionInfoSizeW
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoW
VerQueryValueW

netapi32

Netbios

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 552KB - Virtual size: 551KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 18.1MB - Virtual size: 18.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 116KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

13e07ffd4232bc571310b0d1742aea9e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

wldap32

crypt32

kernel32

user32

advapi32

ole32

shell32

oleaut32

shlwapi

gdi32

gdiplus

imm32

comctl32

iphlpapi

psapi

userenv

wtsapi32

version

netapi32

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rdata Size: 552KB - Virtual size: 551KB

.data Size: 64KB - Virtual size: 93KB

.rsrc Size: 18.1MB - Virtual size: 18.1MB

.reloc Size: 116KB - Virtual size: 115KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 552KB - Virtual size: 551KB

.data
Size: 64KB - Virtual size: 93KB

.rsrc
Size: 18.1MB - Virtual size: 18.1MB

.reloc
Size: 116KB - Virtual size: 115KB