6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2

Analysis

max time kernel
100s
max time network
202s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-10-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xd.exe
Size

3.0MB
MD5

b8006a0ea8243be30ddbc2009aa05d93
SHA1

81df425e729edd90c7b7e50b995803da783557ef
SHA256

6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
SHA512

4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
SSDEEP

49152:6zTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmNMrZEu:6zTtODUKTslWp2MpbfGGilIJPypSbxE8

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral3/memory/3992-24-0x0000000001D10000-0x0000000001D1A000-memory.dmp	disable_win_def

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1732	3992	xd.exe	81
PID 3992 wrote to memory of 1732	3992	xd.exe	81
PID 1732 wrote to memory of 3164	1732	csc.exe	83
PID 1732 wrote to memory of 3164	1732	csc.exe	83

C:\Users\Admin\AppData\Local\Temp\xd.exe
"C:\Users\Admin\AppData\Local\Temp\xd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tn_yfp6i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78CB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78CA.tmp"
    3⤵
    PID:3164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES78CB.tmp

Filesize
1KB

MD5
2fd953ecef4de3f2606cdaeff313dc48

SHA1
454389780ad92c266a60dad3cd42cf27588b16f7

SHA256
c76dd0a887aa15b35f2fe0ccbc0a44b27a0bc86644cd0ce03424c1ea2417e5c1

SHA512
03e0dc959a0e1f4e244fae30020a7ae11a8ad1c9a5a1e1ce25cc3bc3c8ccaad6bf3c7504e108a7be7d97542a0a1384bb3706e7bd13c086955f5c0164bc3ab921

Download Submit
C:\Users\Admin\AppData\Local\Temp\tn_yfp6i.dll

Filesize
76KB

MD5
3c189a987a7a7ca7050683d058a73ecb

SHA1
8a7f8dbf9c1f21a1e0d0ef8e7e7ba5d70d7c3c49

SHA256
2c024f3bd1ca872f6bf07cd57231a61f9263a1d7ebc18306cbfb7b7f9bd1e235

SHA512
0ea00537dce4e7c10bd560ba30168c43551c0730f0705cc6eba51188a8e207f68e207b6856433feb8eaf584f9e09858047a7030b1e14eaeb6d61163107ffc628

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC78CA.tmp

Filesize
676B

MD5
bbcb1f03f8b192bbc2235704af923372

SHA1
e46ff9ff9f4975a567daa69736dd75901f406ce2

SHA256
60d006de393aa1bd174dca5b11a72627ba76b0d1e65b6767e6634875fb237eb5

SHA512
948c1cc14ead16d688fb00bae7ea6a9391fd7454c8a7d43243a75fe325b9535905acd3121d38964e66a82c2b690bf471ce0f682932b9275a429a03853cbefbf4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tn_yfp6i.0.cs

Filesize
208KB

MD5
7d10266472a13052fd3ce1cf4b7450f1

SHA1
2924de7a1527478e059bb824552e26ca6dc15f73

SHA256
30d06496937066e4d4a6cecc0c7c2efdfdae54e5c054159cf18f1e2327d3b6cf

SHA512
209c7a114fbdfd472c606894e85dc61b7525a650390abb8be1b3b3c157ec031c7a85608e3fc3fbc79c62cf370a238f7343feb9b1f0ed542d1457a41783a99c41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tn_yfp6i.cmdline

Filesize
349B

MD5
369b6744c7eec6523e9bf4ebcabcc983

SHA1
4779040fa0d303df80f8bd84089d97fae7fde36e

SHA256
69b639494e37b8e0e00ccf32a9fb7298bfc95a4958a57e4b9845ad38ddb2e790

SHA512
1ddd945d3136512bf48acd1ce5680fd0af715f672a0e6c5e290bf6f0331f3c0ff21093720fbdc6b2cde59fe7d4c318fafec86792401ece3b5ce2f9ad7730a232

Download Submit
memory/1732-19-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/1732-14-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/3992-5-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/3992-1-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/3992-0-0x00007FFB62895000-0x00007FFB62896000-memory.dmp

Filesize
4KB

Download
memory/3992-4-0x000000001C9A0000-0x000000001CE6E000-memory.dmp

Filesize
4.8MB

Download
memory/3992-3-0x0000000001A90000-0x0000000001A9E000-memory.dmp

Filesize
56KB

Download
memory/3992-2-0x0000000001AE0000-0x0000000001B3C000-memory.dmp

Filesize
368KB

Download
memory/3992-21-0x000000001CF30000-0x000000001CF46000-memory.dmp

Filesize
88KB

Download
memory/3992-6-0x000000001CE70000-0x000000001CF0C000-memory.dmp

Filesize
624KB

Download
memory/3992-23-0x000000001CF10000-0x000000001CF22000-memory.dmp

Filesize
72KB

Download
memory/3992-24-0x0000000001D10000-0x0000000001D1A000-memory.dmp

Filesize
40KB

Download
memory/3992-25-0x000000001D430000-0x000000001D438000-memory.dmp

Filesize
32KB

Download
memory/3992-26-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/3992-27-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download
memory/3992-29-0x00007FFB625E0000-0x00007FFB62F81000-memory.dmp

Filesize
9.6MB

Download