Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
297s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/10/2024, 23:08
Behavioral task
behavioral1
Sample
xdwd.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
xdwd.exe
Resource
win11-20241007-en
General
-
Target
xdwd.exe
-
Size
3.0MB
-
MD5
40887369c101155d2cb098a476c144a3
-
SHA1
7e5b376f1ed70c3fbfd34441a0c784b033191628
-
SHA256
37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55
-
SHA512
a2870dcdc06f0523bd909760740b23392c5285f15b8bfc6738cc8ace46ff571f2db42cf4d3555fcdcd4902b07fd34bd3ed5cfc2802e7eec5ac82e07b258626df
-
SSDEEP
49152:tefEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmAX8rZz:teftODUKTslWp2MpbfGGilIJPypSbxEY
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/4072-24-0x000000001B800000-0x000000001B80A000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" xdwd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdwd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" xdwd.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xdwd.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini xdwd.exe File opened for modification C:\Windows\assembly\Desktop.ini xdwd.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xdwd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini xdwd.exe File opened for modification C:\Windows\assembly\Desktop.ini xdwd.exe File opened for modification C:\Windows\assembly xdwd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2524 powershell.exe 2524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2524 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4072 xdwd.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4072 xdwd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4072 wrote to memory of 2856 4072 xdwd.exe 81 PID 4072 wrote to memory of 2856 4072 xdwd.exe 81 PID 2856 wrote to memory of 404 2856 csc.exe 83 PID 2856 wrote to memory of 404 2856 csc.exe 83 PID 4072 wrote to memory of 2524 4072 xdwd.exe 84 PID 4072 wrote to memory of 2524 4072 xdwd.exe 84 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xdwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" xdwd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xdwd.exe"C:\Users\Admin\AppData\Local\Temp\xdwd.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4072 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\osokeara.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78F9.tmp"3⤵PID:404
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55fab98442ebf5aa7c08b10ca4508132b
SHA15d4a18ebb6eb6aaf36f97bc3b4f12ddb3c00e7d2
SHA2561f49cb5d562563dd428a03a96ca15118a3f72a445f24bdd49095f0fc352fb73b
SHA51287d630e5b98051cb64041442f387d638c3206701723ee169875a172f70895a382f356e3cb6087915fb289e920982694c66f61c7e327ef16f8609db6052356c1b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD5156f68b4185e76b0164eac4e55aa9fb2
SHA1d09326a12290913763424f9c8961c931ad800766
SHA256fcfc9f2e33bcd0ebb12b14751635d2e024fd15e1cd373ba2aa49175bbc0eb298
SHA512f869555bb7de20b0e8e0da43d2323a9aa17ff47c9791e418a3500b6a30ffd5b556a9ca87b111dd082f2a91fdf6dcbc86685129943b1da33bd6b0c96d7d0e88c4
-
Filesize
676B
MD5c1bc9b53be511705128afcb9e110f74f
SHA103a616becf2ed022929b84b97a2046334062f049
SHA256ceda71e710036d551da9c81149227352b0f72aa2931f341676097916bb166d32
SHA5127119642f8e458091ff870174f72a4657940b133d4268bedc385bd6c853a29bd594054626818c19776275e5babf9964e379d947a38b1d7cfc93b5106ca18b4d0c
-
Filesize
208KB
MD5adca6ef5828dd3b42cb1b705e79e7c66
SHA1a710e67a71dddbe51f09467803599be72ac7adba
SHA2560b47c5d6b0e6b8b181fe969dab48a1348bc9d1ac27d44839701cb7404ab3a726
SHA512a68c55e6dbe41f34fe8de5ef1bdb255aaf77cba18fb4d5cd377893746c3a3b131766eaf7cfc44e1935ecccb97cdf7e1e9ea522bc4a012a90d391ebf09578e27f
-
Filesize
349B
MD5634c00d5dfd5e3381520c815cc1e1315
SHA12057ce12230d276f0f01a34002851ef4d63cff44
SHA256636dc0ee6daa6dba48af942a212e9bff67ee32074a8cc6635f0e266e613c61fd
SHA512cc5e157e120ccd06e5a366d904bfe5f657da56ae55d9da7f84bf6a87374ca1ade3eedebb9b0719ff7e5de09b29834ee411cf3c894a3eb9984f64d9a7eaa3427a