Overview

overview

10

Static

static

10

dis_defender.exe

windows7-x64

10

dis_defender.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2023 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dis_defender.exe

  • Size

    12KB

  • MD5

    5e4319826d24eacce3ca0738885722f3

  • SHA1

    f028af3df311cb2d94511c8f05fa7f1efa5268b3

  • SHA256

    6c174114cc8159ea4a8614b5418fa6e6405c42c64675657f69b1ae1839dd0a70

  • SHA512

    f189de4fcc8e3b7ae689b06e8b881d977b15bfe69c6cc762800e3fa2cf929fe16beabee781730f5a1ec10bb61e416afb086332f71178dd9eccc6b87cd53bc0f2

  • SSDEEP

    384:oMsJTP+6OFyf/o0xPSzbbVxu2mnj1jPGUc5tuTpqKi3hC4:oMsJTP+6OFy3LhIbbxafc5tuTpqKYhJ

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dis_defender.exe
    "C:\Users\Admin\AppData\Local\Temp\dis_defender.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2332-6-0x000000001B1B0000-0x000000001B492000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2332-8-0x0000000002040000-0x0000000002048000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2332-7-0x000007FEF3E30000-0x000007FEF47CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-9-0x000007FEF3E30000-0x000007FEF47CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-10-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2332-11-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2332-12-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2332-13-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2332-14-0x000007FEF3E30000-0x000007FEF47CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2852-0-0x0000000000D20000-0x0000000000D28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2852-1-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2852-15-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

    Download