Overview

overview

7

Static

static

7

一键关�...��.exe

windows7-x64

1

一键关�...��.exe

windows10-2004-x64

1

一键关�...��.exe

windows7-x64

7

一键关�...��.exe

windows10-2004-x64

7

DefenderCo...ol.exe

windows7-x64

7

DefenderCo...ol.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 19:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    一键关闭win杀毒软件的工具/关闭Windows Defender Service工具.exe

  • Size

    16.6MB

  • MD5

    4efeccf71d4d2d6c9a208f757ae1fb63

  • SHA1

    71ce8aee46c946d9907b8e4ac9e1698e820754f6

  • SHA256

    5605621ca26715623bcbae9ba1db1031f5b635395205a33db076a1b899e85eb5

  • SHA512

    cc12be200e5aa9340a09aac8b2c1367b69d117a3512cfa68fa78c58feb8d048526e33720f587cd0784850f18ef8ae510465a496c0d04b4fc1f3587f63f9692cf

  • SSDEEP

    393216:MCUwPwE8zHFqxfKsNps7FoPbnXLQfl9Mt2lro:MCU6784xys/5/Qfl9Mt2l0

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\一键关闭win杀毒软件的工具\关闭Windows Defender Service工具.exe
    "C:\Users\Admin\AppData\Local\Temp\一键关闭win杀毒软件的工具\关闭Windows Defender Service工具.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe
      "C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /C wmic csproduct list full
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic csproduct list full
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\FeedbackUrl.xml
    Filesize

    560B

    MD5

    ce2dcda8b2ef6efe13d16b79263fe2f4

    SHA1

    ea0e074ccb0c49b38ba0333935e86948873b5099

    SHA256

    6f07a15d5eafd0420d78aa079fd83376120363f0342ff83acf84c5180da1cca3

    SHA512

    412e862786dcb508ee080f997f015bb0c10312962bfcfcda32ac2df7f1c5c7cfeec5c4f7f1c1ba4c20d338522de1f440e548b906fd8d495c814c07e24b583205

    Download Submit

  • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\LenovoFeedbackInformation.dll
    Filesize

    2.2MB

    MD5

    e6f3d837488599ebd8315de4f0456b54

    SHA1

    fae88fa103667ac36bce80d580d52b54082f9c48

    SHA256

    6764d79cd7fb3710cf1cdd2b446ecaab6c76f0864baa0ec99022f87b6ffef545

    SHA512

    8fddbd58b73f894559937b39105e1c295e516716a1ac9f1a1c397d5f66096b3cc93d4567d41769bd7c8af63c5421f8469ffecaa7e92bf8f701a2cb216e3b3565

    Download Submit

  • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\MSVCP100.dll
    Filesize

    411KB

    MD5

    03e9314004f504a14a61c3d364b62f66

    SHA1

    0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

    SHA256

    a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

    SHA512

    2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

    Download Submit

  • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\MSVCR100.dll
    Filesize

    752KB

    MD5

    67ec459e42d3081dd8fd34356f7cafc1

    SHA1

    1738050616169d5b17b5adac3ff0370b8c642734

    SHA256

    1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

    SHA512

    9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

    Download Submit

  • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\QuickFixCloseOrOpenWin10DefenderAntivirusSoft.exe
    Filesize

    2.8MB

    MD5

    7ee3ae2e7ac89792c68d3547847e7719

    SHA1

    546327ab433bd9fe199bbeb1f020d36fc5932fb2

    SHA256

    1e16e0211b5615089abd99db4794bd7caae4e135e00db5d474e0d6fa2d09647d

    SHA512

    612ce2e08a73041e82db91064274a388dff6459ff7ffb191fa5f22f528901ab6d720f1a6eb4d20df2b38831bcf03bbc83e952176260f74d4aff49b4619c694d6

    Download Submit

  • C:\LenovoQuickFix\QuickFixCloseOrOpenWin10DefenderAntivirusSoft\mfc100u.dll
    Filesize

    4.2MB

    MD5

    f841f32ad816dbf130f10d86fab99b1a

    SHA1

    0f8b90814b33275cf39f95e769927497da9460bf

    SHA256

    7a4cfbce1eb48d4f8988212c2e338d7781b9894ef0f525e871c22bb730a74f3e

    SHA512

    6222f16722a61ee6950b6fbcbe46c2b08e2394ce3dd32d34656faf2719e190e66b4e59617c83f117ad3793b1292a107f275087b037cf1b6e4d9819323748079a

    Download Submit