Analysis

  • max time kernel
    149s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 01:18

General

  • Target

    Product/Disable defender/dfControl.exe

  • Size

    445KB

  • MD5

    10d8e4ca3fa2902859c77f41baee4dda

  • SHA1

    2421ff6f2cfc1aa807eb5781b2980a6e493b31d0

  • SHA256

    20c730c7033b5bdc0a6510825e90449ba8f87942d2d7f61fa1ba5f100e98c141

  • SHA512

    e89ecee14b949725878f14dbb0ef908f5741fd2d8298052d5522c84650ce0e6bdaac66278029b90f9da1acd0815abbdbd9f90ccf9b08966433723557d54e4aed

  • SSDEEP

    12288:Jzcf7EanlQ0YZL8cf9eMUiwfEo7FnmGUGJ:Zcf7NELUhfEo7xmdGJ

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
    "C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:232
    • C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
      "C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4512
      • C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
        "C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe" /TI
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.ini

    Filesize

    2KB

    MD5

    fff235c1d05bd5bd91d2a65f17191aa7

    SHA1

    9dc2e1f91fc143277f23711034a80134df94c075

    SHA256

    48b2eda4d139dc679f11cd56417cc9e14770cdd7db460868d70c3f1692192000

    SHA512

    65e86ff436b165952bff2aec5c2d17e895c458a0ca05e9010bc2c9cff6f001fa95bb9cefe2ea2a525a404f8b9841ae8176f70dc012416da2d729c86342431ee1

  • C:\Windows\Temp\aut54B7.tmp

    Filesize

    15KB

    MD5

    93e42daecb6275f7fc49a8f5b12a7edf

    SHA1

    0b4b037fcd2997249197bafb53cfa3489321c320

    SHA256

    3dcc465363e157b36198a5f8649f57b0f5fa950287ea4959903e637a0cd8a79a

    SHA512

    cde18c402ae8253ab1024f55ede24877198f6cec8016e5fdcb4dea09406f2d8db97e8065a9db1a97d5eab67c5b2dde296be109d415d37838c5cf2f066351f534

  • C:\Windows\Temp\aut54B8.tmp

    Filesize

    12KB

    MD5

    7a8207b501b20a0ef6b7f631b40e3bdf

    SHA1

    b36194c3346ad5ab0e6683ae9676d15bf47c8915

    SHA256

    eac3ceafe46b52057b7f370e7290dd0905c50c2ce772b76e3fab3886fc6b3dd1

    SHA512

    11a92c47b2f1943f73ea48547a04c52e441ffc51cc61f2d8a6306d51e6daf08b5aaa23ddf11358056ed5971984344bb4bbbf6670acebc9103091972719429200

  • C:\Windows\Temp\aut54B9.tmp

    Filesize

    7KB

    MD5

    a0ab548853aafd090db3c6aae10f6b5e

    SHA1

    f3d5a95d4fcc8f496d88c35522d2ca2285f5ff4a

    SHA256

    8faf739b926d56fb5125041c8bee45289c86127a10dfb68fb9df8d58360c3542

    SHA512

    9bbfc18283039191336752112fc638c7dae1f6a2f33f6c79bdd807e33c266abd4e92b90506ffea6286376a3571829309f8969af837bf0619fba863ba57c53753

  • C:\Windows\Temp\oetgjpsq.tmp

    Filesize

    38KB

    MD5

    83a150055998174d5c89b2e9986df7f2

    SHA1

    e0ac99307939ee444db125961c44293805cb979e

    SHA256

    3473b86565efb6e0126b0da8366ddd7b6447ef0a30dbe0676672485f38cf485b

    SHA512

    fb163df3046affdca1695312be1f05062dec68e93be55e39d4112f03cfdea401ea72e204ad0a69557f4e070498e911b44daf3525220af8e0a0bb5049024345ee

  • memory/232-0-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/232-23-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-95-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-99-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-94-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-107-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-96-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-97-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-98-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-106-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-100-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-101-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-102-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-103-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-104-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2884-105-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/4512-44-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/4512-21-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB