General
-
Target
GSecurity.exe
-
Size
851KB
-
Sample
230119-n6bpwacg7s
-
MD5
690eee0e48261b646ac54a1866c32510
-
SHA1
ccd9ce1e952026508a233efba834b1de6b3c2490
-
SHA256
82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7
-
SHA512
e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1
-
SSDEEP
24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI
Static task
static1
Behavioral task
behavioral1
Sample
GSecurity.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
GSecurity.exe
Resource
win10v2004-20221111-en
Malware Config
Targets
-
-
Target
GSecurity.exe
-
Size
851KB
-
MD5
690eee0e48261b646ac54a1866c32510
-
SHA1
ccd9ce1e952026508a233efba834b1de6b3c2490
-
SHA256
82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7
-
SHA512
e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1
-
SSDEEP
24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies firewall policy service
-
Modifies security service
-
Modifies system executable filetype association
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Sets file execution options in registry
-
Allows Network login with blank passwords
Allows local user accounts with blank passwords to access device from the network.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies powershell logging option
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
4Change Default File Association
1Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
12Disabling Security Tools
3Bypass User Account Control
1File Permissions Modification
1