1252c59f28ed87f9236af0b045978c17351faf34649e639b1dc8fdfdd5ccc0ae

Analysis

max time kernel
421s
max time network
422s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DefenderRemover.exe
Size

823KB
MD5

879e3d30cc1392370ab0eec1601aa1b6
SHA1

c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
SHA256

704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
SHA512

71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
SSDEEP

12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DefenderRemover.execmd.exechoice.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DefenderRemover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

DefenderRemover.execmd.exe

description	pid	process	target process
PID 4544 wrote to memory of 2136	4544	DefenderRemover.exe	cmd.exe
PID 4544 wrote to memory of 2136	4544	DefenderRemover.exe	cmd.exe
PID 4544 wrote to memory of 2136	4544	DefenderRemover.exe	cmd.exe
PID 2136 wrote to memory of 3056	2136	cmd.exe	choice.exe
PID 2136 wrote to memory of 3056	2136	cmd.exe	choice.exe
PID 2136 wrote to memory of 3056	2136	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe
"C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\Script_Run.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\choice.exe
    choice /C:yas /N
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA4BC.tmp\Script_Run.bat

Filesize
9KB

MD5
f5f2b8421012d9ce3dec75b23d6d3dac

SHA1
62bb1f88eb6207caa946eb101d8e5c5a2c56df7f

SHA256
ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2

SHA512
d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d

Download Submit