675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

Resubmissions

26-10-2024 23:19

241026-3a1rfsxrgm 10

26-10-2024 23:18

241026-3absbs1fnl 10

26-10-2024 23:16

241026-29dkjaymaw 10

Analysis

max time kernel
7s
max time network
4s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-10-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

3.0MB
MD5

7b3150ddd3df859f8f6f36cb041b23f7
SHA1

c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256

675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512

a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
SSDEEP

49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/4908-24-0x0000000001B60000-0x0000000001B6A000-memory.dmp	disable_win_def

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

test.execsc.exe

description	pid	process	target process
PID 4908 wrote to memory of 1828	4908	test.exe	csc.exe
PID 4908 wrote to memory of 1828	4908	test.exe	csc.exe
PID 1828 wrote to memory of 3580	1828	csc.exe	cvtres.exe
PID 1828 wrote to memory of 3580	1828	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zcldbtf8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D53.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D52.tmp"
    3⤵
    PID:3580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5D53.tmp

Filesize
1KB

MD5
f442a707ef9e4847b6ed40fd1e4ce386

SHA1
444142b80f839a3e319d6f495a49881742981c6f

SHA256
d10035c2ba55132ede6d32a4565d5f5949dcdb4426ea7d6d96c5505df39094db

SHA512
52ba44bf71721a94a8438182cde433a607afc5712e1ebfdd927c48a531baa5d7cfa808e832d47d1db0975d06f971b92b79bab8b2521e865c219812689ed05b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcldbtf8.dll

Filesize
76KB

MD5
28b3898dbfa3a286e9872f5fb837be69

SHA1
82c4b844aaae58bc6aa0fe9ebade82fdd638b1f9

SHA256
5bbff6f06828f68be096993dfcc4bd06975bdd9e9448b56f5ce250e137c7ae84

SHA512
6c8233f7a42fb3fef86571d3f1c2b9767670c7c36a53de1d06f02bfe0ff22ba0a098b693e8ee76aa40fdba6e971ed9beda0cf2042849e8aeb844017ca3d844ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5D52.tmp

Filesize
676B

MD5
a8db1d4279f4b63b76bdb4d585b94773

SHA1
22cec1f2644e1a74aec17fca03be7a13b7be2699

SHA256
d920109bde8d07bef446ce8194eed9f000118c53547e9727c47c9e431a386c9d

SHA512
930530738181df62f125df879abac0b0bb194decf7c06e71e3bbaf2b05a5dacc843890d5aa5e9c0993fafd504e33bc1141489169a9020435f64dce9bd8babdbf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zcldbtf8.0.cs

Filesize
208KB

MD5
ab40d60da8d1fb1b428b02d64261d263

SHA1
f116789f367a8a1f783b31bf7ed37ff526de26b1

SHA256
6fc5da17574b38d184c056c8897f66402fb44bfcb1c4277b4503c37072b58462

SHA512
18e97cfc0110daad22bfcd418452d4172b6ab7d26f064253cff9c375e8f6afb60c96cab1d56fdd4c678471c002d0449e8c285659424415794e73b7abdc76d6ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zcldbtf8.cmdline

Filesize
349B

MD5
71c59b62e8499b8bb10acae7549b0508

SHA1
8dbfe781262e4d51fa5d547630386d04ced59c2f

SHA256
6b5e390b250f3713a10b4eff3171450f238b3330ddddf6bf779b8b69c513b3ba

SHA512
1b727bedb8b5cab190cecb4e3a52d4dd118f1ab5bf54d8c7d6ee537f657a8f62b01c88c0e2150e6ac1a6574963e3739354582ba703433087de7ae3a2f598b3fb

Download Submit
memory/1828-19-0x00007FFA54350000-0x00007FFA54CF1000-memory.dmp

Filesize
9.6MB

Download
memory/1828-16-0x00007FFA54350000-0x00007FFA54CF1000-memory.dmp

Filesize
9.6MB

Download
memory/4908-5-0x00007FFA54350000-0x00007FFA54CF1000-memory.dmp

Filesize
9.6MB

Download
memory/4908-6-0x000000001CD60000-0x000000001CDFC000-memory.dmp

Filesize
624KB

Download
memory/4908-0-0x00007FFA54605000-0x00007FFA54606000-memory.dmp

Filesize
4KB

Download
memory/4908-4-0x000000001C7F0000-0x000000001CCBE000-memory.dmp

Filesize
4.8MB

Download
memory/4908-3-0x0000000001770000-0x000000000177E000-memory.dmp

Filesize
56KB

Download
memory/4908-2-0x00000000017C0000-0x000000000181C000-memory.dmp

Filesize
368KB

Download
memory/4908-1-0x00007FFA54350000-0x00007FFA54CF1000-memory.dmp

Filesize
9.6MB

Download
memory/4908-21-0x000000001CE10000-0x000000001CE26000-memory.dmp

Filesize
88KB

Download
memory/4908-23-0x00000000017B0000-0x00000000017C2000-memory.dmp

Filesize
72KB

Download
memory/4908-24-0x0000000001B60000-0x0000000001B6A000-memory.dmp

Filesize
40KB

Download
memory/4908-25-0x0000000001B80000-0x0000000001B88000-memory.dmp

Filesize
32KB

Download
memory/4908-26-0x00007FFA54350000-0x00007FFA54CF1000-memory.dmp

Filesize
9.6MB

Download
memory/4908-28-0x00007FFA54350000-0x00007FFA54CF1000-memory.dmp

Filesize
9.6MB

Download