WindowsDefender[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

WindowsDefender.exe
Size

448KB
MD5

aeeb156552045bd64bd6be4a4c7724a9
SHA1

9795946a236a0c0759eddf1ce8fef2f8aa051806
SHA256

45a46ad422eb1f1d0213d5b425b6f83db2fc48a67d0b2b2d37a6fe96567b2817
SHA512

a9c1720703d2b25addf87b108e6020fb73e29da7f705842faffdcbdd4ad993917d464d78dc7db9b01d58f18e8a9e7f924f1506a54e92f9d0acf20410fa62df9a
SSDEEP

12288:SF2itC7rxZjmoXuaiHi/Xy3I3sBmy1CL4ukpuMQB9:oHSZqoXuWPzlITQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WindowsDefender.exe

Files

WindowsDefender.exe
.exe windows:4 windows x86 arch:x86

8800a03ace7b3b8921bfecf22cbec727

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

GetModuleHandleA
GetProcAddress

user32

CharNextA

advapi32

RegCloseKey

oleaut32

SysFreeString

version

VerQueryValueA

gdi32

SaveDC

ole32

CoInitialize

comctl32

ImageList_Add

shell32

SHGetFileInfoA

ntdll

RtlAdjustPrivilege
NtSetInformationProcess

Sections

.MPRESS1
Size: 428KB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE