Analysis
-
max time kernel
149s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 01:18
Behavioral task
behavioral1
Sample
A6J2824DG.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
A6J2824DG.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Product/Disable defender/dfControl.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Product/Disable defender/dfControl.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Product/win11 fix.exe
Resource
win7-20240611-en
General
-
Target
Product/Disable defender/dfControl.exe
-
Size
445KB
-
MD5
10d8e4ca3fa2902859c77f41baee4dda
-
SHA1
2421ff6f2cfc1aa807eb5781b2980a6e493b31d0
-
SHA256
20c730c7033b5bdc0a6510825e90449ba8f87942d2d7f61fa1ba5f100e98c141
-
SHA512
e89ecee14b949725878f14dbb0ef908f5741fd2d8298052d5522c84650ce0e6bdaac66278029b90f9da1acd0815abbdbd9f90ccf9b08966433723557d54e4aed
-
SSDEEP
12288:Jzcf7EanlQ0YZL8cf9eMUiwfEo7FnmGUGJ:Zcf7NELUhfEo7xmdGJ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral4/memory/232-0-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/4512-21-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/232-23-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/4512-44-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-94-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-95-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-96-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-97-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-98-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-99-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-100-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-101-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-102-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-103-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-104-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-105-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-106-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral4/memory/2884-107-0x0000000000400000-0x00000000004CD000-memory.dmp upx -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral4/memory/232-23-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/4512-44-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-94-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-95-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-96-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-97-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-98-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-99-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-100-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-101-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-102-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-103-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-104-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-105-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-106-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral4/memory/2884-107-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
dfControl.exedfControl.exedfControl.exepid process 232 dfControl.exe 232 dfControl.exe 232 dfControl.exe 232 dfControl.exe 232 dfControl.exe 232 dfControl.exe 4512 dfControl.exe 4512 dfControl.exe 4512 dfControl.exe 4512 dfControl.exe 4512 dfControl.exe 4512 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dfControl.exepid process 2884 dfControl.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
dfControl.exedfControl.exedescription pid process Token: SeDebugPrivilege 232 dfControl.exe Token: SeAssignPrimaryTokenPrivilege 232 dfControl.exe Token: SeIncreaseQuotaPrivilege 232 dfControl.exe Token: 0 232 dfControl.exe Token: SeDebugPrivilege 4512 dfControl.exe Token: SeAssignPrimaryTokenPrivilege 4512 dfControl.exe Token: SeIncreaseQuotaPrivilege 4512 dfControl.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
dfControl.exepid process 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
dfControl.exepid process 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe 2884 dfControl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe" /TI3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fff235c1d05bd5bd91d2a65f17191aa7
SHA19dc2e1f91fc143277f23711034a80134df94c075
SHA25648b2eda4d139dc679f11cd56417cc9e14770cdd7db460868d70c3f1692192000
SHA51265e86ff436b165952bff2aec5c2d17e895c458a0ca05e9010bc2c9cff6f001fa95bb9cefe2ea2a525a404f8b9841ae8176f70dc012416da2d729c86342431ee1
-
Filesize
15KB
MD593e42daecb6275f7fc49a8f5b12a7edf
SHA10b4b037fcd2997249197bafb53cfa3489321c320
SHA2563dcc465363e157b36198a5f8649f57b0f5fa950287ea4959903e637a0cd8a79a
SHA512cde18c402ae8253ab1024f55ede24877198f6cec8016e5fdcb4dea09406f2d8db97e8065a9db1a97d5eab67c5b2dde296be109d415d37838c5cf2f066351f534
-
Filesize
12KB
MD57a8207b501b20a0ef6b7f631b40e3bdf
SHA1b36194c3346ad5ab0e6683ae9676d15bf47c8915
SHA256eac3ceafe46b52057b7f370e7290dd0905c50c2ce772b76e3fab3886fc6b3dd1
SHA51211a92c47b2f1943f73ea48547a04c52e441ffc51cc61f2d8a6306d51e6daf08b5aaa23ddf11358056ed5971984344bb4bbbf6670acebc9103091972719429200
-
Filesize
7KB
MD5a0ab548853aafd090db3c6aae10f6b5e
SHA1f3d5a95d4fcc8f496d88c35522d2ca2285f5ff4a
SHA2568faf739b926d56fb5125041c8bee45289c86127a10dfb68fb9df8d58360c3542
SHA5129bbfc18283039191336752112fc638c7dae1f6a2f33f6c79bdd807e33c266abd4e92b90506ffea6286376a3571829309f8969af837bf0619fba863ba57c53753
-
Filesize
38KB
MD583a150055998174d5c89b2e9986df7f2
SHA1e0ac99307939ee444db125961c44293805cb979e
SHA2563473b86565efb6e0126b0da8366ddd7b6447ef0a30dbe0676672485f38cf485b
SHA512fb163df3046affdca1695312be1f05062dec68e93be55e39d4112f03cfdea401ea72e204ad0a69557f4e070498e911b44daf3525220af8e0a0bb5049024345ee