bff18fa437ec08a2b1726d02b23e25cb3deea0933624beffe2a646120ae79062

General

Target

DOC#090900009.exe
Size

858KB
MD5

873ee9e180e146dbc58e236adc4859e2
SHA1

244f6944163d7b56f41c8e6b321b66fbcced9e8c
SHA256

a1b7b74f099ecb3e600271c2ed326aacaeece3eda474d5769c2839386fa0fc05
SHA512

6feb78a2ea87f4cd0b676d8cadf92a74126d0658f96fc2e4e60baea17d99e97a5caffbf3737873ed9be07d18e5f1ce4f24fb3cb13fe535ea5cda0b0a21c098b8

Score

10^/10

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1600-57-0x0000000004D00000-0x0000000004DCE000-memory.dmp	disable_win_def

Suspicious behavior: EnumeratesProcesses 21 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	DOC#090900009.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 276	1600	DOC#090900009.exe	28
PID 1600 wrote to memory of 276	1600	DOC#090900009.exe	28
PID 1600 wrote to memory of 276	1600	DOC#090900009.exe	28
PID 1600 wrote to memory of 276	1600	DOC#090900009.exe	28
PID 1600 wrote to memory of 1968	1600	DOC#090900009.exe	29
PID 1600 wrote to memory of 1968	1600	DOC#090900009.exe	29
PID 1600 wrote to memory of 1968	1600	DOC#090900009.exe	29
PID 1600 wrote to memory of 1968	1600	DOC#090900009.exe	29
PID 1600 wrote to memory of 1780	1600	DOC#090900009.exe	30
PID 1600 wrote to memory of 1780	1600	DOC#090900009.exe	30
PID 1600 wrote to memory of 1780	1600	DOC#090900009.exe	30
PID 1600 wrote to memory of 1780	1600	DOC#090900009.exe	30
PID 1600 wrote to memory of 684	1600	DOC#090900009.exe	31
PID 1600 wrote to memory of 684	1600	DOC#090900009.exe	31
PID 1600 wrote to memory of 684	1600	DOC#090900009.exe	31
PID 1600 wrote to memory of 684	1600	DOC#090900009.exe	31
PID 1600 wrote to memory of 1728	1600	DOC#090900009.exe	32
PID 1600 wrote to memory of 1728	1600	DOC#090900009.exe	32
PID 1600 wrote to memory of 1728	1600	DOC#090900009.exe	32
PID 1600 wrote to memory of 1728	1600	DOC#090900009.exe	32

C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe
"C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe"
  2⤵
  PID:276
- C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe"
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe"
  2⤵
  PID:684
- C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC#090900009.exe"
  2⤵
  PID:1728

memory/1600-54-0x0000000000330000-0x000000000040C000-memory.dmp

Filesize
880KB

Download
memory/1600-55-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1600-56-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1600-57-0x0000000004D00000-0x0000000004DCE000-memory.dmp

Filesize
824KB

Download
memory/1600-58-0x0000000001F60000-0x0000000001F6E000-memory.dmp

Filesize
56KB

Download
memory/1600-59-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1600-60-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download