Analysis
-
max time kernel
133s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe
Resource
win7-20240215-en
General
-
Target
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe
-
Size
395KB
-
MD5
f6d3bde91b1c282fd96d3f7df1d5380b
-
SHA1
be0fb279096517370ec8dea3dc265dfc15bba339
-
SHA256
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f
-
SHA512
69da93d65f460074a729050288bfc48cb330c22bded63fdd094d43267f0efa1327a58457abb74979d0a98ddd4e98613e102c5d77093be0b5bb2cc831c61d8bb0
-
SSDEEP
3072:WqzpJDoNNml840wdcWz1/NSnwNGY2u+46kF0+Mc7u910CwEBhd+B9PfUD5/myu:lzL28xdckCAGYVd7uX0a9Sfq
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral2/memory/4052-5-0x00000000023D0000-0x00000000023EA000-memory.dmp healer behavioral2/memory/4052-7-0x0000000004BA0000-0x0000000004BB8000-memory.dmp healer behavioral2/memory/4052-27-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-33-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-31-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-29-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-25-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-23-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-21-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-35-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-19-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-18-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-15-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-13-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-11-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-9-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer behavioral2/memory/4052-8-0x0000000004BA0000-0x0000000004BB3000-memory.dmp healer -
Processes:
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
Processes:
resource yara_rule behavioral2/memory/4052-5-0x00000000023D0000-0x00000000023EA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-7-0x0000000004BA0000-0x0000000004BB8000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-27-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-33-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-31-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-29-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-25-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-23-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-21-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-35-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-19-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-18-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-15-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-13-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-11-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-9-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral2/memory/4052-8-0x0000000004BA0000-0x0000000004BB3000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Processes:
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4772 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2824 4052 WerFault.exe b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exepid process 4052 b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe 4052 b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exedescription pid process Token: SeDebugPrivilege 4052 b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe"C:\Users\Admin\AppData\Local\Temp\b1f32f0f87a005e43c6e2a02991c465234987aa76046e5a5002714a50098f08f.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 8842⤵
- Program crash
PID:2824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4052 -ip 40521⤵PID:3660
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4772