fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

General

Target

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
Size

160KB
MD5

788fe4e8bdcff1069a879664b02410ec
SHA1

3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512

b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4396-136-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
C:\Windows\Temp\rjid5asl.exe	disable_win_def
C:\Windows\temp\rjid5asl.exe	disable_win_def
behavioral2/memory/3332-145-0x0000000000C70000-0x0000000000C78000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Executes dropped EXE 1 IoCs

Processes:

rjid5asl.exe

pid process

3332 rjid5asl.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

rjid5asl.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" rjid5asl.exe

pid	process
3332	rjid5asl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	rjid5asl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

description	pid	process	target process
PID 4476 set thread context of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3488 taskkill.exe

pid	process
3488	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

pid	process
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	4336	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

pid	process
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exefdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exeDllHost.execmd.exerjid5asl.exe

description	pid	process	target process
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4476 wrote to memory of 4396	4476	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
PID 4396 wrote to memory of 4672	4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 4396 wrote to memory of 4672	4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 4396 wrote to memory of 4672	4396	fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe	cmstp.exe
PID 4756 wrote to memory of 2192	4756	DllHost.exe	cmd.exe
PID 4756 wrote to memory of 2192	4756	DllHost.exe	cmd.exe
PID 4756 wrote to memory of 2192	4756	DllHost.exe	cmd.exe
PID 2192 wrote to memory of 3332	2192	cmd.exe	rjid5asl.exe
PID 2192 wrote to memory of 3332	2192	cmd.exe	rjid5asl.exe
PID 4756 wrote to memory of 3488	4756	DllHost.exe	taskkill.exe
PID 4756 wrote to memory of 3488	4756	DllHost.exe	taskkill.exe
PID 4756 wrote to memory of 3488	4756	DllHost.exe	taskkill.exe
PID 3332 wrote to memory of 4336	3332	rjid5asl.exe	powershell.exe
PID 3332 wrote to memory of 4336	3332	rjid5asl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
"C:\Users\Admin\AppData\Local\Temp\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ddqhaqkw.inf
3⤵
PID:4672

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\rjid5asl.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\temp\rjid5asl.exe
C:\Windows\temp\rjid5asl.exe
3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Windows\Temp\rjid5asl.exe
Filesize
12KB

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
C:\Windows\temp\ddqhaqkw.inf
Filesize
583B

MD5
fd276a82536d1848a1bf24f504cd181c

SHA1
df1eff0753e712329e903daca0beb7529fe5f51f

SHA256
c16da32c3d002964519c66c90b28355c30b9284639df6080977ef2c2e139a682

SHA512
a0a5173cfc71236d3981b185f374200dac423b1e191766992e330b7186795cb4500d04985ed70133ca4d7ae87f67582f97f9b3ff205dda07bf14646e02e67296

Download Submit
C:\Windows\temp\rjid5asl.exe
Filesize
12KB

MD5
f4b5c1ebf4966256f52c4c4ceae87fb1

SHA1
ca70ec96d1a65cb2a4cbf4db46042275dc75813b

SHA256
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03

SHA512
02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

Download Submit
memory/2192-140-0x0000000000000000-mapping.dmp

Download
memory/3332-148-0x00007FFA0E1C0000-0x00007FFA0EC81000-memory.dmp

Filesize
10.8MB

Download
memory/3332-145-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/3332-141-0x0000000000000000-mapping.dmp

Download
memory/3488-144-0x0000000000000000-mapping.dmp

Download
memory/4336-146-0x0000000000000000-mapping.dmp

Download
memory/4336-147-0x000001839CD40000-0x000001839CD62000-memory.dmp

Filesize
136KB

Download
memory/4336-149-0x00007FFA0E1C0000-0x00007FFA0EC81000-memory.dmp

Filesize
10.8MB

Download
memory/4396-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4396-135-0x0000000000000000-mapping.dmp

Download
memory/4476-134-0x00000000055F0000-0x000000000568C000-memory.dmp

Filesize
624KB

Download
memory/4476-133-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

Filesize
40KB

Download
memory/4476-132-0x00000000049E0000-0x0000000004A72000-memory.dmp

Filesize
584KB

Download
memory/4476-130-0x0000000000020000-0x000000000004E000-memory.dmp

Filesize
184KB

Download
memory/4476-131-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/4672-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads