6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xd.exe
Size

3.0MB
MD5

b8006a0ea8243be30ddbc2009aa05d93
SHA1

81df425e729edd90c7b7e50b995803da783557ef
SHA256

6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
SHA512

4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
SSDEEP

49152:6zTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmNMrZEu:6zTtODUKTslWp2MpbfGGilIJPypSbxE8

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2292-22-0x00000000005A0000-0x00000000005AA000-memory.dmp	disable_win_def

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2304	2292	xd.exe	31
PID 2292 wrote to memory of 2304	2292	xd.exe	31
PID 2292 wrote to memory of 2304	2292	xd.exe	31
PID 2304 wrote to memory of 1720	2304	csc.exe	33
PID 2304 wrote to memory of 1720	2304	csc.exe	33
PID 2304 wrote to memory of 1720	2304	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\xd.exe
"C:\Users\Admin\AppData\Local\Temp\xd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awzpdpbv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB14.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDB13.tmp"
    3⤵
    PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDB14.tmp

Filesize
1KB

MD5
dd8e4042dbaf968a1d0c2d57b8466cbe

SHA1
3f2998879376556f2e54b9deb15cb156b825fd03

SHA256
5c903fa3972bb5a6cd4c3917dc3eb1bff1a3547e4f4ab83cc761fc1e073a94a2

SHA512
09cb179c6365996924b4d4caaa3d75d5d1767cc28a397ecdb28d56595b5c7a7093ac6fd99142f8a1ec803fae258bf1a7f911735dcba5a3284a3394ba052446c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\awzpdpbv.dll

Filesize
76KB

MD5
0f331ea08af94bf69ee4acda93354bb1

SHA1
b443f2bfaa0e8417317b3abc1781d93247d37ca1

SHA256
d31967d2ce98e674bd4f0bbfca95b105b06ff452667a03e88d2add3269b8dc9c

SHA512
5466018a7ab2dfd67b676d07fc695d17b02c76291a4104762612b27b075d9c5badea4e6f976f1ff7bcc94835eea04363f14d445e7e94d1d6dc781360683bef1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDB13.tmp

Filesize
676B

MD5
b1d99f296abb70d971bfbc77dabb8466

SHA1
4f131bbfa13825fafd20f590e6d1167488c396aa

SHA256
4bf4bf8a88e1825707bd013ea47d356a99b139160c03878f36043c31d2552b1b

SHA512
5acf9ce23b901aba759ed1944aae6fb0c3a1285f3e3d7813961c987ead9122009067e54eb4f4711602e4113f277cb1c3fe8fdcd70672444f583e92de05b761ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awzpdpbv.0.cs

Filesize
208KB

MD5
8aed888f51841497840f8ec4e47c2fba

SHA1
0f09f865899399dc2287bc8b21c28198c882ca5b

SHA256
28da0570624cd13aafdcbdebf1e9f3ef17d48574e0c7472716449cde53acada6

SHA512
d053bd04476938e1804357054cb7849df3f805def7aea86944d04fde1a2bb43109b1cafd021e366aec3d316cedc64e13297f906b7f1369690e08aedefb193e58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awzpdpbv.cmdline

Filesize
349B

MD5
be113dd778596b9dd052ab6a37598a12

SHA1
8b049011554fde915ead8e3a3ed446cb09a7a0e5

SHA256
d08fc99de696234d3345bfc3baf4676a6464781d8857e76484fe4ace74984b7a

SHA512
e2204b03c919844ae760fb85b942318ab75c0e5fb1c54a0040e701b60f52e72a0d1fb2cab8a52cc7a7c41d16d67340611d1977487ee6c7fd87c046ff998cda62

Download Submit
memory/2292-19-0x000000001B0C0000-0x000000001B0D6000-memory.dmp

Filesize
88KB

Download
memory/2292-4-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-3-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-2-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2292-25-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x000000001B060000-0x000000001B0BC000-memory.dmp

Filesize
368KB

Download
memory/2292-26-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-0-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/2292-21-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/2292-23-0x00000000021A0000-0x00000000021A8000-memory.dmp

Filesize
32KB

Download
memory/2292-22-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2292-24-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-12-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-17-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download