675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

Resubmissions

26-10-2024 23:19

241026-3a1rfsxrgm 10

26-10-2024 23:18

241026-3absbs1fnl 10

26-10-2024 23:16

241026-29dkjaymaw 10

Analysis

max time kernel
7s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-10-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

3.0MB
MD5

7b3150ddd3df859f8f6f36cb041b23f7
SHA1

c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256

675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512

a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
SSDEEP

49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/5072-24-0x000000001C0E0000-0x000000001C0EA000-memory.dmp	disable_win_def

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

test.execsc.exe

description	pid	process	target process
PID 5072 wrote to memory of 4680	5072	test.exe	csc.exe
PID 5072 wrote to memory of 4680	5072	test.exe	csc.exe
PID 4680 wrote to memory of 2264	4680	csc.exe	cvtres.exe
PID 4680 wrote to memory of 2264	4680	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zul19po0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82BE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC82BD.tmp"
    3⤵
    PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES82BE.tmp

Filesize
1KB

MD5
7440cb513971cc932c23992b09e56cdd

SHA1
86b8412f006f55d8dfad25202753928cbf51cde7

SHA256
acdebc72cd95647ef93f04fd0d7dee293f9325415d5f7c6fa28bf1e3d0a0dfb7

SHA512
f37cd80ffbefbd7afc47e347dca93d3bd3476af7489b513496116a0377bf189e91f9d51bd111f4f33a5edccf034ba8f69c7ee4835a967234c3edc2b341b25fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zul19po0.dll

Filesize
76KB

MD5
4c7d63216527fa72ec004af79c9e1ef6

SHA1
9bbc8583e5b054086a3aed701576960eaec5c979

SHA256
48725364b06fda729c6419ddf711518133397542f7c06f3cda25398827c10cd5

SHA512
cee6dc976ca9f540131ded29f079dc9dff9897678b9c920ef5fa709106ad6560f69616674ae6de6ca739ef343c4f968b2de8fcbf3bc19808a2183f9b2737ed26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC82BD.tmp

Filesize
676B

MD5
4b79a2bbdd70951a5e898d172ea731c3

SHA1
cb320205a381d8438ab99266684c3a589a6bc506

SHA256
4b3d395c88e3d94fb4583c02aa0aa79e866d4b8a2835607eb915e8303549f7fa

SHA512
b218f54eff8d4511ce8fd528596f61cbc6fd5976d7dce7ceb4e257cb34a22d70684957ddd837c11fdd0d593b0a2d4b9403640943ec894b245fd4d81df7ea26b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zul19po0.0.cs

Filesize
208KB

MD5
636d075f31d7c5ec3eb0b66f4bb3359f

SHA1
def6e77427ad6c2567a3cfd53f10a6c36787a43f

SHA256
61e63bf52f68e246e8d0576bdceff4ce3635ab9f23e7c61516ed043a91b66279

SHA512
6b97b32a9ff4e789a0ef23c026aab2dcb07eeb3992d7ac7724223e4a5f6f5563c9f356a6cdb3992d9546ad9565704b1176799ef3040ea9e8ff480098188d1228

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zul19po0.cmdline

Filesize
349B

MD5
18da9ecb89475b9e636eedfa2491d676

SHA1
8311f413162e8e7a2b4850ff30003c3a1b078df6

SHA256
c836becdeefa3bdb63369eedcf771dfdad1cd50eb069e96eaa0420d13d964087

SHA512
289fb31c44a6589edab0ddc38f7ed0da11b9ce814887fa99f8410db93557c82de44112a9ab92031ad8063fab1f607033c435b1658eaeffcbe2a78d9bcadf7de4

Download Submit
memory/4680-19-0x00007FF952330000-0x00007FF952CD1000-memory.dmp

Filesize
9.6MB

Download
memory/4680-15-0x00007FF952330000-0x00007FF952CD1000-memory.dmp

Filesize
9.6MB

Download
memory/5072-5-0x00007FF952330000-0x00007FF952CD1000-memory.dmp

Filesize
9.6MB

Download
memory/5072-6-0x000000001CFD0000-0x000000001D06C000-memory.dmp

Filesize
624KB

Download
memory/5072-0-0x00007FF9525E5000-0x00007FF9525E6000-memory.dmp

Filesize
4KB

Download
memory/5072-4-0x000000001CA60000-0x000000001CF2E000-memory.dmp

Filesize
4.8MB

Download
memory/5072-3-0x0000000001B90000-0x0000000001B9E000-memory.dmp

Filesize
56KB

Download
memory/5072-2-0x000000001C1D0000-0x000000001C22C000-memory.dmp

Filesize
368KB

Download
memory/5072-1-0x00007FF952330000-0x00007FF952CD1000-memory.dmp

Filesize
9.6MB

Download
memory/5072-21-0x000000001C230000-0x000000001C246000-memory.dmp

Filesize
88KB

Download
memory/5072-23-0x000000001C100000-0x000000001C112000-memory.dmp

Filesize
72KB

Download
memory/5072-24-0x000000001C0E0000-0x000000001C0EA000-memory.dmp

Filesize
40KB

Download
memory/5072-25-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

Filesize
32KB

Download
memory/5072-26-0x00007FF952330000-0x00007FF952CD1000-memory.dmp

Filesize
9.6MB

Download
memory/5072-28-0x00007FF952330000-0x00007FF952CD1000-memory.dmp

Filesize
9.6MB

Download