Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-04-2024 15:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe
-
Size
391KB
-
MD5
0a84386b85b39b57e8da53f7b5db5a37
-
SHA1
c99c7c6739f611afa1ca9ebe723ea0b145075bac
-
SHA256
37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1
-
SHA512
3d137be1532fdfd6edce769f5c0b7c9d32aedad3ff944bca8a6f23e354962079f4889ed50d520350b2856a2e71199b4e3cab3a3ed5fa4cf4d83fba02039ee314
-
SSDEEP
6144:A+ISz1iadJyThR1deYrPvhIZc6c0kp5OogMqa97/QQa:Aw5rdmh3kYj5IvKp5JgMT8Qa
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 18 IoCs
resource yara_rule behavioral1/memory/3068-4-0x00000000003E0000-0x00000000003FA000-memory.dmp healer behavioral1/memory/3068-7-0x0000000004BD0000-0x0000000004C10000-memory.dmp healer behavioral1/memory/3068-8-0x00000000021F0000-0x0000000002208000-memory.dmp healer behavioral1/memory/3068-9-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-10-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-12-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-14-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-16-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-18-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-20-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-28-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-30-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-26-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-24-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-22-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-32-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-34-0x00000000021F0000-0x0000000002202000-memory.dmp healer behavioral1/memory/3068-36-0x00000000021F0000-0x0000000002202000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
resource yara_rule behavioral1/memory/3068-4-0x00000000003E0000-0x00000000003FA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-8-0x00000000021F0000-0x0000000002208000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-9-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-10-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-12-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-14-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-16-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-18-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-20-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-28-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-30-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-26-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-24-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-22-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-32-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-34-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/3068-36-0x00000000021F0000-0x0000000002202000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3068 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe 3068 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3068 37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe"C:\Users\Admin\AppData\Local\Temp\37dd6fe30ecd67cfc661fa3581ea9388f5a87a16022227bd3a62a6bcb829ffb1.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068