fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

General

Target

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
Size

160KB
MD5

788fe4e8bdcff1069a879664b02410ec
SHA1

3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512

b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/820-61-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/820-62-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/820-63-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/820-64-0x000000000040616E-mapping.dmp	disable_win_def
behavioral1/memory/820-66-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/820-68-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1100-56-0x0000000000320000-0x0000000000328000-memory.dmp	coreentity

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1100-57-0x00000000003C0000-0x00000000003D2000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

description	pid	process	target process
PID 1100 set thread context of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

pid	process
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

description pid process

Token: SeDebugPrivilege 820 fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

description	pid	process
Token: SeDebugPrivilege	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

pid	process
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exefdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

description	pid	process	target process
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 1100 wrote to memory of 820	1100	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 820 wrote to memory of 2024	820	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe

C:\Users\Admin\AppData\Local\Temp\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
"C:\Users\Admin\AppData\Local\Temp\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\mx1xosin.inf
3⤵
PID:2024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\mx1xosin.inf
Filesize
583B

MD5
ae6ef020fec3889a5cecaaa6bebf54dc

SHA1
3465ecaee2adfc7f481f42f0bf0538654bce83ac

SHA256
40f01b8254e390f87253909ba556c1430603e9cf1997a5fda2276cb049d27146

SHA512
86078d8387b239d1498e6f3fedddccf30cc626a92980c46ed8c1bd98333e1d20ccf2699eb3f053170a231f39cf0e0590e8a06e53bc7a2693e64959aa71994ccc

Download Submit
memory/820-64-0x000000000040616E-mapping.dmp

Download
memory/820-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/820-73-0x00000000048C5000-0x00000000048D6000-memory.dmp

Filesize
68KB

Download
memory/820-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/820-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/820-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/820-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/820-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/820-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1100-54-0x0000000001390000-0x00000000013BE000-memory.dmp

Filesize
184KB

Download
memory/1100-56-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/1100-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1100-57-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2024-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads