XPonTweak[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XPonTweak.exe
Size

3.0MB
MD5

317e9fa68b8284b0a745cd245d711b1c
SHA1

e34c2d9a98a32fc6f8d184433c8ad04d79dc79d0
SHA256

5943d92613167ee35c155d5de805e2759fd317f4d0a35e81a1729efd5d6ad551
SHA512

03a9d72a272d02ce40e7eef3a175d2233bfce292c2b52a1bf137f3264bfea7d11e4e87492b043556aceb155954cf31981b6678f7227272fdffed693fe3d5a20f
SSDEEP

49152:mg2SyKATyJWbGrq0kQyXnwyEmtDbKY/mUYbVcWboMZJbpOZU4R/lS4p:mzSlYyJIGrvYXgYb/mUYbVNPxp0hzfp

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
sample	disable_win_def

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XPonTweak.exe

Files

XPonTweak.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.m~]
Size: - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.!=}
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.*21
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ