37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55

General

Target

xdwd.exe
Size

3.0MB
MD5

40887369c101155d2cb098a476c144a3
SHA1

7e5b376f1ed70c3fbfd34441a0c784b033191628
SHA256

37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55
SHA512

a2870dcdc06f0523bd909760740b23392c5285f15b8bfc6738cc8ace46ff571f2db42cf4d3555fcdcd4902b07fd34bd3ed5cfc2802e7eec5ac82e07b258626df
SSDEEP

49152:tefEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmAX8rZz:teftODUKTslWp2MpbfGGilIJPypSbxEY

Score

10^/10

defense_evasion evasion persistence privilege_escalation trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4072-24-0x000000001B800000-0x000000001B80A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	xdwd.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xdwd.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	xdwd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xdwd.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	xdwd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	xdwd.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xdwd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	xdwd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	xdwd.exe
File opened for modification	C:\Windows\assembly	xdwd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	powershell.exe
2524	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4072	xdwd.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4072	xdwd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2856	4072	xdwd.exe	81
PID 4072 wrote to memory of 2856	4072	xdwd.exe	81
PID 2856 wrote to memory of 404	2856	csc.exe	83
PID 2856 wrote to memory of 404	2856	csc.exe	83
PID 4072 wrote to memory of 2524	4072	xdwd.exe	84
PID 4072 wrote to memory of 2524	4072	xdwd.exe	84

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xdwd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	xdwd.exe

C:\Users\Admin\AppData\Local\Temp\xdwd.exe
"C:\Users\Admin\AppData\Local\Temp\xdwd.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4072
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\osokeara.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78F9.tmp"
    3⤵
    PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Hijack Execution Flow

1

T1574

Executable Installer File Permissions Weakness

1

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Hijack Execution Flow

1

T1574

Executable Installer File Permissions Weakness

1

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hijack Execution Flow

1

T1574

Executable Installer File Permissions Weakness

1

T1574.005

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES78FA.tmp

Filesize
1KB

MD5
5fab98442ebf5aa7c08b10ca4508132b

SHA1
5d4a18ebb6eb6aaf36f97bc3b4f12ddb3c00e7d2

SHA256
1f49cb5d562563dd428a03a96ca15118a3f72a445f24bdd49095f0fc352fb73b

SHA512
87d630e5b98051cb64041442f387d638c3206701723ee169875a172f70895a382f356e3cb6087915fb289e920982694c66f61c7e327ef16f8609db6052356c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxgvcdqi.mqw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\osokeara.dll

Filesize
76KB

MD5
156f68b4185e76b0164eac4e55aa9fb2

SHA1
d09326a12290913763424f9c8961c931ad800766

SHA256
fcfc9f2e33bcd0ebb12b14751635d2e024fd15e1cd373ba2aa49175bbc0eb298

SHA512
f869555bb7de20b0e8e0da43d2323a9aa17ff47c9791e418a3500b6a30ffd5b556a9ca87b111dd082f2a91fdf6dcbc86685129943b1da33bd6b0c96d7d0e88c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC78F9.tmp

Filesize
676B

MD5
c1bc9b53be511705128afcb9e110f74f

SHA1
03a616becf2ed022929b84b97a2046334062f049

SHA256
ceda71e710036d551da9c81149227352b0f72aa2931f341676097916bb166d32

SHA512
7119642f8e458091ff870174f72a4657940b133d4268bedc385bd6c853a29bd594054626818c19776275e5babf9964e379d947a38b1d7cfc93b5106ca18b4d0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\osokeara.0.cs

Filesize
208KB

MD5
adca6ef5828dd3b42cb1b705e79e7c66

SHA1
a710e67a71dddbe51f09467803599be72ac7adba

SHA256
0b47c5d6b0e6b8b181fe969dab48a1348bc9d1ac27d44839701cb7404ab3a726

SHA512
a68c55e6dbe41f34fe8de5ef1bdb255aaf77cba18fb4d5cd377893746c3a3b131766eaf7cfc44e1935ecccb97cdf7e1e9ea522bc4a012a90d391ebf09578e27f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\osokeara.cmdline

Filesize
349B

MD5
634c00d5dfd5e3381520c815cc1e1315

SHA1
2057ce12230d276f0f01a34002851ef4d63cff44

SHA256
636dc0ee6daa6dba48af942a212e9bff67ee32074a8cc6635f0e266e613c61fd

SHA512
cc5e157e120ccd06e5a366d904bfe5f657da56ae55d9da7f84bf6a87374ca1ade3eedebb9b0719ff7e5de09b29834ee411cf3c894a3eb9984f64d9a7eaa3427a

Download Submit
memory/2524-29-0x00007FFB5FEB3000-0x00007FFB5FEB5000-memory.dmp

Filesize
8KB

Download
memory/2524-43-0x00007FFB5FEB0000-0x00007FFB60972000-memory.dmp

Filesize
10.8MB

Download
memory/2524-40-0x00007FFB5FEB0000-0x00007FFB60972000-memory.dmp

Filesize
10.8MB

Download
memory/2524-39-0x00007FFB5FEB0000-0x00007FFB60972000-memory.dmp

Filesize
10.8MB

Download
memory/2524-38-0x000001C8F1A40000-0x000001C8F1A62000-memory.dmp

Filesize
136KB

Download
memory/2856-15-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/2856-19-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/4072-2-0x000000001B6C0000-0x000000001B71C000-memory.dmp

Filesize
368KB

Download
memory/4072-1-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/4072-23-0x000000001B820000-0x000000001B832000-memory.dmp

Filesize
72KB

Download
memory/4072-24-0x000000001B800000-0x000000001B80A000-memory.dmp

Filesize
40KB

Download
memory/4072-25-0x000000001CB50000-0x000000001CB68000-memory.dmp

Filesize
96KB

Download
memory/4072-26-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/4072-21-0x000000001C630000-0x000000001C646000-memory.dmp

Filesize
88KB

Download
memory/4072-3-0x0000000000F80000-0x0000000000F8E000-memory.dmp

Filesize
56KB

Download
memory/4072-6-0x000000001C580000-0x000000001C61C000-memory.dmp

Filesize
624KB

Download
memory/4072-5-0x000000001C010000-0x000000001C4DE000-memory.dmp

Filesize
4.8MB

Download
memory/4072-4-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/4072-0-0x00007FFB62895000-0x00007FFB62896000-memory.dmp

Filesize
4KB

Download
memory/4072-44-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

Filesize
32KB

Download
memory/4072-45-0x00007FFB62895000-0x00007FFB62896000-memory.dmp

Filesize
4KB

Download
memory/4072-46-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/4072-47-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads