Overview
overview
10Static
static
3Luxury Cry...0.0.7z
windows7-x64
1Luxury Cry...0.0.7z
windows10-2004-x64
1Installati...er.exe
windows7-x64
3Installati...er.exe
windows10-2004-x64
3Installati...er.zip
windows7-x64
1Installati...er.zip
windows10-2004-x64
1DefenderRemover.exe
windows7-x64
3DefenderRemover.exe
windows10-2004-x64
3Installati...DME.md
windows7-x64
3Installati...DME.md
windows10-2004-x64
3Luxury Cry...ey.dll
windows7-x64
1Luxury Cry...ey.dll
windows10-2004-x64
1Luxury Cry...er.dll
windows7-x64
1Luxury Cry...er.dll
windows10-2004-x64
1Luxury Cry...I2.dll
windows7-x64
1Luxury Cry...I2.dll
windows10-2004-x64
1Luxury Cry...ge.exe
windows7-x64
1Luxury Cry...ge.exe
windows10-2004-x64
1Luxury Cry...��.exe
windows7-x64
10Luxury Cry...��.exe
windows10-2004-x64
10安装指�...er.exe
windows7-x64
3安装指�...er.exe
windows10-2004-x64
3安装指�...er.zip
windows7-x64
1安装指�...er.zip
windows10-2004-x64
1DefenderRemover.exe
windows7-x64
3DefenderRemover.exe
windows10-2004-x64
3安装指�...DME.md
windows7-x64
3安装指�...DME.md
windows10-2004-x64
3Analysis
-
max time kernel
418s -
max time network
422s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 15:41
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Crypter 18.0.0.7z
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Luxury Crypter 18.0.0.7z
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Installation Guide/DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Installation Guide/DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Installation Guide/DefenderRemover.zip
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Installation Guide/DefenderRemover.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Installation Guide/README.md
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Installation Guide/README.md
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Luxury Crypter 18.0.0/Dynamitey.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Luxury Crypter 18.0.0/Dynamitey.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Luxury Crypter 18.0.0/FontsInstaller.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
Luxury Crypter 18.0.0/FontsInstaller.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Luxury Crypter 18.0.0/Guna.UI2.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Luxury Crypter 18.0.0/Guna.UI2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Luxury Crypter 18.0.0/ILMerge.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Luxury Crypter 18.0.0/ILMerge.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Luxury Crypter 18.0.0/Luxury Crypter.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Luxury Crypter 18.0.0/Luxury Crypter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
安装指南/DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
安装指南/DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
安装指南/DefenderRemover.zip
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
安装指南/DefenderRemover.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
安装指南/README.md
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
安装指南/README.md
Resource
win10v2004-20241007-en
General
-
Target
DefenderRemover.exe
-
Size
823KB
-
MD5
879e3d30cc1392370ab0eec1601aa1b6
-
SHA1
c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
-
SHA256
704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
-
SHA512
71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
-
SSDEEP
12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
choice.exeDefenderRemover.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DefenderRemover.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
DefenderRemover.execmd.exedescription pid process target process PID 3356 wrote to memory of 2184 3356 DefenderRemover.exe cmd.exe PID 3356 wrote to memory of 2184 3356 DefenderRemover.exe cmd.exe PID 3356 wrote to memory of 2184 3356 DefenderRemover.exe cmd.exe PID 2184 wrote to memory of 1844 2184 cmd.exe choice.exe PID 2184 wrote to memory of 1844 2184 cmd.exe choice.exe PID 2184 wrote to memory of 1844 2184 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe"C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\Script_Run.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\choice.exechoice /C:yas /N3⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5f5f2b8421012d9ce3dec75b23d6d3dac
SHA162bb1f88eb6207caa946eb101d8e5c5a2c56df7f
SHA256ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2
SHA512d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d