Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 04:11
Static task
static1
Behavioral task
behavioral1
Sample
c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Resource
win7-20241010-en
General
-
Target
c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
-
Size
295KB
-
MD5
02a8d30e926df56a9cb8a5858dc3dd30
-
SHA1
cd379b7a853f2c538a62b3af6ec27b11fb9f952e
-
SHA256
c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0d
-
SHA512
9450782815243b353dd4989064f86b2ea07c8f42df8f28917a020605ce8d1bb64113daf6b8897436d8f1393ae1b74f48f4b525476a30760c509f407104bac0e6
-
SSDEEP
3072:SZ7HjoCTZXT3uq7AmjWCXeZeHhVURa7sMc+Z+pBAkKtrrmJ4DQENIv8kc8+c0bJf:iFdruq7om2a7sHlWtrHDQGIv8kc8ex
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/2596-4-0x0000000004660000-0x000000000467A000-memory.dmp healer behavioral1/memory/2596-5-0x0000000004680000-0x0000000004698000-memory.dmp healer behavioral1/memory/2596-33-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-31-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-29-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-27-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-25-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-23-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-21-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-19-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-17-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-15-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-13-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-11-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-9-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-7-0x0000000004680000-0x0000000004692000-memory.dmp healer behavioral1/memory/2596-6-0x0000000004680000-0x0000000004692000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2596 c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe 2596 c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe"C:\Users\Admin\AppData\Local\Temp\c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596