General
-
Target
XC.exe
-
Size
7.5MB
-
Sample
240416-bl9d7afd7w
-
MD5
b821d6b60c41d12fc8c19b60e94c7bff
-
SHA1
09d4d44e8e3b579fde868cdc652b8bce12eff224
-
SHA256
6ccdf68389c578e9cac7656e7176259f5c7baa8faca69a91786249ea83ed0fc2
-
SHA512
3864612c757f4d007c2abb05ad7b1848b7dd674a7c20106a581353a32e9c4b362942736fadaea1eb43a01bfc8b224f12b6969edf4955db71c687cfffc6c5e545
-
SSDEEP
196608:LdgdKsWg3w2QsCYKXXvXqBH2ADg66+AFwxQ:wA2pCYYXSgUIBwxQ
Static task
static1
Behavioral task
behavioral1
Sample
XC.exe
Resource
win10v2004-20240412-en
Malware Config
Targets
-
-
Target
XC.exe
-
Size
7.5MB
-
MD5
b821d6b60c41d12fc8c19b60e94c7bff
-
SHA1
09d4d44e8e3b579fde868cdc652b8bce12eff224
-
SHA256
6ccdf68389c578e9cac7656e7176259f5c7baa8faca69a91786249ea83ed0fc2
-
SHA512
3864612c757f4d007c2abb05ad7b1848b7dd674a7c20106a581353a32e9c4b362942736fadaea1eb43a01bfc8b224f12b6969edf4955db71c687cfffc6c5e545
-
SSDEEP
196608:LdgdKsWg3w2QsCYKXXvXqBH2ADg66+AFwxQ:wA2pCYYXSgUIBwxQ
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1