675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

Resubmissions

26-10-2024 23:19

241026-3a1rfsxrgm 10

26-10-2024 23:18

241026-3absbs1fnl 10

26-10-2024 23:16

241026-29dkjaymaw 10

Analysis

max time kernel
91s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-10-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

3.0MB
MD5

7b3150ddd3df859f8f6f36cb041b23f7
SHA1

c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256

675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512

a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
SSDEEP

49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral3/memory/4744-24-0x000000001BF20000-0x000000001BF2A000-memory.dmp	disable_win_def

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3160	4744	test.exe	81
PID 4744 wrote to memory of 3160	4744	test.exe	81
PID 3160 wrote to memory of 3684	3160	csc.exe	83
PID 3160 wrote to memory of 3684	3160	csc.exe	83

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pwsglgw_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB6FC.tmp"
    3⤵
    PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB6FD.tmp

Filesize
1KB

MD5
6b663bdc85570fe51fbcea14c40feb2f

SHA1
b74b6331e4e30a9cfe469b5ac6bdb314069d33fa

SHA256
033294f3af057072a8558ba2ecf0857a1324c7b1da147d4cbea99f2544f5780d

SHA512
d06d16c341c6281089d378a5d9b2da538eb2bf3adcd50d8e2a33a0742de13c62b628c4efc4f0c425bee0092701e920b57847a5473c30fabc48b4c69c5dcf8a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwsglgw_.dll

Filesize
76KB

MD5
5bd8d7d1abb732fb15027222b9e7b31a

SHA1
11f86fbee5535c00d3415839ae0a50df1e1edf0a

SHA256
5d4e2abb7c1d5db3b534bdff8a18e4c75f021bd7ab34c527d3d281428b7400cc

SHA512
ccfa58976276853c625334e1cd2d6acb5a95a9f69999b2a16c6900262eb3d3bd69d54ea2275ab94466258fbec3d7ba03eea134c5761b82a05846a077d7a07a52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB6FC.tmp

Filesize
676B

MD5
f030e661ed8f2697357a3dac5dc7a6a2

SHA1
c2d7c3a39b96a35c603ac04df928f53f76ddb9fc

SHA256
fff6a0e4f757431ced4ce8281fb16c117081944dac7a9eaa8ebd98a4e417cf32

SHA512
454b62d5c09a6bf20ccd9d48021b73e968a5ff722471f715b013de10970410bc59f278253fdf74f0c61efac64a162f45af1c4769a45d9180407d6e27175fa007

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pwsglgw_.0.cs

Filesize
208KB

MD5
8d317371b27b7520068751b79345b400

SHA1
d8b933fe270bffd1982f88c0bca387ec5c0084d4

SHA256
5844af8df5f1db6e3833675dfd8757dc6f6682bb88f9ba1359578ebe1024d0dd

SHA512
e1bfc457484b29860be56b5cd6aab92547c8b23893d4e50cb8772a102a5b81ac961ec908d92585137cce97ee6ebc60548d8e2fee920acd3f40367621546b0962

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pwsglgw_.cmdline

Filesize
349B

MD5
edb44a7250cf141628669cd718a31b1e

SHA1
7e86ee07a08f93bebaca87f78c6046e47d3a2704

SHA256
072c5b7eb3e55abc2af2a320cf453d8f86f3c96d41f339fe83e864a68986f988

SHA512
4206507db06be9646dc44a477648343fc4ad37dae210e66279c27fbea49feb1924ad4cadbe884d590aafc4df6bc50f08c540ca6455da54a6782036fa5fbb749f

Download Submit
memory/3160-19-0x00007FF9E0990000-0x00007FF9E1331000-memory.dmp

Filesize
9.6MB

Download
memory/3160-15-0x00007FF9E0990000-0x00007FF9E1331000-memory.dmp

Filesize
9.6MB

Download
memory/4744-5-0x000000001CD60000-0x000000001CDFC000-memory.dmp

Filesize
624KB

Download
memory/4744-6-0x00007FF9E0990000-0x00007FF9E1331000-memory.dmp

Filesize
9.6MB

Download
memory/4744-0-0x00007FF9E0C45000-0x00007FF9E0C46000-memory.dmp

Filesize
4KB

Download
memory/4744-4-0x000000001C7F0000-0x000000001CCBE000-memory.dmp

Filesize
4.8MB

Download
memory/4744-3-0x0000000001A90000-0x0000000001A9E000-memory.dmp

Filesize
56KB

Download
memory/4744-2-0x000000001BEB0000-0x000000001BF0C000-memory.dmp

Filesize
368KB

Download
memory/4744-21-0x000000001CE20000-0x000000001CE36000-memory.dmp

Filesize
88KB

Download
memory/4744-1-0x00007FF9E0990000-0x00007FF9E1331000-memory.dmp

Filesize
9.6MB

Download
memory/4744-23-0x000000001CE00000-0x000000001CE12000-memory.dmp

Filesize
72KB

Download
memory/4744-24-0x000000001BF20000-0x000000001BF2A000-memory.dmp

Filesize
40KB

Download
memory/4744-25-0x000000001BF30000-0x000000001BF38000-memory.dmp

Filesize
32KB

Download
memory/4744-26-0x00007FF9E0990000-0x00007FF9E1331000-memory.dmp

Filesize
9.6MB

Download
memory/4744-28-0x00007FF9E0990000-0x00007FF9E1331000-memory.dmp

Filesize
9.6MB

Download