Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 01:18
Behavioral task
behavioral1
Sample
A6J2824DG.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
A6J2824DG.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Product/Disable defender/dfControl.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Product/Disable defender/dfControl.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Product/win11 fix.exe
Resource
win7-20240611-en
General
-
Target
Product/Disable defender/dfControl.exe
-
Size
445KB
-
MD5
10d8e4ca3fa2902859c77f41baee4dda
-
SHA1
2421ff6f2cfc1aa807eb5781b2980a6e493b31d0
-
SHA256
20c730c7033b5bdc0a6510825e90449ba8f87942d2d7f61fa1ba5f100e98c141
-
SHA512
e89ecee14b949725878f14dbb0ef908f5741fd2d8298052d5522c84650ce0e6bdaac66278029b90f9da1acd0815abbdbd9f90ccf9b08966433723557d54e4aed
-
SSDEEP
12288:Jzcf7EanlQ0YZL8cf9eMUiwfEo7FnmGUGJ:Zcf7NELUhfEo7xmdGJ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral3/memory/2548-0-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2548-22-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2612-41-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2612-45-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-46-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-96-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-108-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-109-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-110-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-111-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-112-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-113-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-114-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-115-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-116-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-117-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-118-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-119-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral3/memory/2500-120-0x0000000000400000-0x00000000004CD000-memory.dmp upx -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral3/memory/2548-22-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2612-41-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2612-45-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-46-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-96-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-108-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-109-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-110-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-111-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-112-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-113-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-114-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-115-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-116-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-117-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-118-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-119-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral3/memory/2500-120-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Drops file in Windows directory 1 IoCs
Processes:
makecab.exedescription ioc process File created C:\Windows\Logs\CBS\CbsPersist_20240617011826.cab makecab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
dfControl.exedfControl.exedfControl.exepid process 2548 dfControl.exe 2548 dfControl.exe 2548 dfControl.exe 2612 dfControl.exe 2612 dfControl.exe 2612 dfControl.exe 2500 dfControl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dfControl.exepid process 2500 dfControl.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
dfControl.exedfControl.exedescription pid process Token: SeDebugPrivilege 2548 dfControl.exe Token: SeAssignPrimaryTokenPrivilege 2548 dfControl.exe Token: SeIncreaseQuotaPrivilege 2548 dfControl.exe Token: 0 2548 dfControl.exe Token: SeDebugPrivilege 2612 dfControl.exe Token: SeAssignPrimaryTokenPrivilege 2612 dfControl.exe Token: SeIncreaseQuotaPrivilege 2612 dfControl.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
dfControl.exepid process 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
dfControl.exepid process 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe 2500 dfControl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe" /TI3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240617011826.log C:\Windows\Logs\CBS\CbsPersist_20240617011826.cab1⤵
- Drops file in Windows directory
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD559b35cd913ed1888c71616c541c150cb
SHA1c709835c96c69e42ab9d592c6e447bf4d6688783
SHA25618a6c46004844e40b692a8454d66a8f7615927b15be432c0de21ad622d0c7abc
SHA512cd4e068c3d6bc9abdd2f77176fc47bc986bcb67e3d82b17ea60f82403995e75fb6a9da0d2e2f1eac81017189ffb92fd0f8ab49e71b6dee34b9cb6a777835196b
-
Filesize
15KB
MD593e42daecb6275f7fc49a8f5b12a7edf
SHA10b4b037fcd2997249197bafb53cfa3489321c320
SHA2563dcc465363e157b36198a5f8649f57b0f5fa950287ea4959903e637a0cd8a79a
SHA512cde18c402ae8253ab1024f55ede24877198f6cec8016e5fdcb4dea09406f2d8db97e8065a9db1a97d5eab67c5b2dde296be109d415d37838c5cf2f066351f534
-
Filesize
12KB
MD57a8207b501b20a0ef6b7f631b40e3bdf
SHA1b36194c3346ad5ab0e6683ae9676d15bf47c8915
SHA256eac3ceafe46b52057b7f370e7290dd0905c50c2ce772b76e3fab3886fc6b3dd1
SHA51211a92c47b2f1943f73ea48547a04c52e441ffc51cc61f2d8a6306d51e6daf08b5aaa23ddf11358056ed5971984344bb4bbbf6670acebc9103091972719429200
-
Filesize
7KB
MD5a0ab548853aafd090db3c6aae10f6b5e
SHA1f3d5a95d4fcc8f496d88c35522d2ca2285f5ff4a
SHA2568faf739b926d56fb5125041c8bee45289c86127a10dfb68fb9df8d58360c3542
SHA5129bbfc18283039191336752112fc638c7dae1f6a2f33f6c79bdd807e33c266abd4e92b90506ffea6286376a3571829309f8969af837bf0619fba863ba57c53753
-
Filesize
38KB
MD583a150055998174d5c89b2e9986df7f2
SHA1e0ac99307939ee444db125961c44293805cb979e
SHA2563473b86565efb6e0126b0da8366ddd7b6447ef0a30dbe0676672485f38cf485b
SHA512fb163df3046affdca1695312be1f05062dec68e93be55e39d4112f03cfdea401ea72e204ad0a69557f4e070498e911b44daf3525220af8e0a0bb5049024345ee