c837e405159f1dbba789741991eed2be7ef8d49e130a6c908a04e51d7df85e8d

Resubmissions

06-07-2024 14:49

240706-r6zcqa1flm 10

06-07-2024 12:23

240706-pklhmaybkr 10

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Defender - Disable.reg
Size

2KB
MD5

8f7f24568ff5c6bf0b22045c3c2c390f
SHA1

19c8951ab9293b5bbb19054853c4d94804672e1f
SHA256

c837e405159f1dbba789741991eed2be7ef8d49e130a6c908a04e51d7df85e8d
SHA512

ea2fdb097a439345ae48358a61121c92cc393b8ccca6cd6cb559fa385553ca5696698475f3e2726bd105c0a9cda0e147be121ad60624ce925f8917889a158d70

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
668	regedit.exe

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\Windows Defender - Disable.reg"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Runs .reg file with regedit
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-0-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads