1dff50e5e24f1639842ed11500efc704d6c78ddf832c6975a145009bd45a6130

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

一键关闭win杀毒软件的工具/关闭Windows Defender Service工具.exe
Size

16.6MB
MD5

4efeccf71d4d2d6c9a208f757ae1fb63
SHA1

71ce8aee46c946d9907b8e4ac9e1698e820754f6
SHA256

5605621ca26715623bcbae9ba1db1031f5b635395205a33db076a1b899e85eb5
SHA512

cc12be200e5aa9340a09aac8b2c1367b69d117a3512cfa68fa78c58feb8d048526e33720f587cd0784850f18ef8ae510465a496c0d04b4fc1f3587f63f9692cf
SSDEEP

393216:MCUwPwE8zHFqxfKsNps7FoPbnXLQfl9Mt2lro:MCU6784xys/5/Qfl9Mt2l0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	关闭Windows Defender Service工具.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	关闭Windows Defender Service工具.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3060	关闭Windows Defender Service工具.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3060	关闭Windows Defender Service工具.exe
3060	关闭Windows Defender Service工具.exe
1960	QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe
1960	QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1960	3060	关闭Windows Defender Service工具.exe	30
PID 3060 wrote to memory of 1960	3060	关闭Windows Defender Service工具.exe	30
PID 3060 wrote to memory of 1960	3060	关闭Windows Defender Service工具.exe	30
PID 3060 wrote to memory of 1960	3060	关闭Windows Defender Service工具.exe	30

C:\Users\Admin\AppData\Local\Temp\一键关闭win杀毒软件的工具\关闭Windows Defender Service工具.exe
"C:\Users\Admin\AppData\Local\Temp\一键关闭win杀毒软件的工具\关闭Windows Defender Service工具.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe
  "C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe

Filesize
2.8MB

MD5
7ee3ae2e7ac89792c68d3547847e7719

SHA1
546327ab433bd9fe199bbeb1f020d36fc5932fb2

SHA256
1e16e0211b5615089abd99db4794bd7caae4e135e00db5d474e0d6fa2d09647d

SHA512
612ce2e08a73041e82db91064274a388dff6459ff7ffb191fa5f22f528901ab6d720f1a6eb4d20df2b38831bcf03bbc83e952176260f74d4aff49b4619c694d6

Download Submit