85dff73e54d9a0d0ccee788a3d4ef155a2a7d37ab9fb7a175723559d59b47cfa | Triage

Analysis

max time kernel
178s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 10:23

Sharing

Report Analysis Logs

General

Target

DefenderRemover.exe
Size

664KB
MD5

7a3e43c2971746c84d32f8a448823673
SHA1

08b75724c68f25ac831ba2c7508f18bf3a398c9f
SHA256

c7bdcebe60356900dc4b4f8bc8b75acc1536df33ae7a1049bfa27192b8c62d0a
SHA512

702ea07e5377387cf938554c8fab55847cc72e06997f318099940db2b0af7d06acf326be3699569b65a9a265e617cab13c2930614bc3a0cb2e02ee82fd79c8f5
SSDEEP

12288:u1OgLda0ZjpVxCSDrqzU7rOv/O6/NH90u9KIyburq6fAdAYmyw:u1OYdaypVxCiIO6/LXEYr8dAByw

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1944	2940	DefenderRemover.exe	87
PID 2940 wrote to memory of 1944	2940	DefenderRemover.exe	87
PID 2940 wrote to memory of 1944	2940	DefenderRemover.exe	87

C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe
"C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\Script_Run.bat
  2⤵
  PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSB9F4.tmp\Script_Run.bat

Filesize
5KB

MD5
cb6ba01b02a759691ccce25812a01fbe

SHA1
3dc6450d1d0d92b34a8bbf891d5895d916dfa286

SHA256
7799b4f070f70a1ba829e49dadbb4708a632d8db41510828b50b8826a669b6c3

SHA512
871b05706dd8e9de355873236a592621e2a5dfca694154d2c86411499d0b2300cc6cfc7c62a8dd998ef901934349d725d34405250d6cbca49f9c9e63b316b126

Download Submit