6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2

Analysis

max time kernel
137s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xd.exe
Size

3.0MB
MD5

b8006a0ea8243be30ddbc2009aa05d93
SHA1

81df425e729edd90c7b7e50b995803da783557ef
SHA256

6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
SHA512

4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
SSDEEP

49152:6zTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmNMrZEu:6zTtODUKTslWp2MpbfGGilIJPypSbxE8

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1188-24-0x000000001B910000-0x000000001B91A000-memory.dmp	disable_win_def

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 212	1188	xd.exe	87
PID 1188 wrote to memory of 212	1188	xd.exe	87
PID 212 wrote to memory of 1448	212	csc.exe	89
PID 212 wrote to memory of 1448	212	csc.exe	89

C:\Users\Admin\AppData\Local\Temp\xd.exe
"C:\Users\Admin\AppData\Local\Temp\xd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieyfkg-9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC8A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC89.tmp"
    3⤵
    PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC8A.tmp

Filesize
1KB

MD5
abf5d3fe7ade51c5eff5c50f04e20bc0

SHA1
0b52336b09e216d29ab6ed0c138b4a25f85a3545

SHA256
d1aa9eb0bb8111bcf0614384c5e541e8f51d29742bf14dc2aa16ab26d1ddb0f4

SHA512
ffbaa0592b97ddfbb7b8091ace68839994a717ff6299afed1b7118cfc4796ef1018e114a169d7c6317771aadd06e67abe5aecf8874dc9af54bc7943ab986f17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyfkg-9.dll

Filesize
76KB

MD5
84db55f265d89ce385c103e2d7b0a356

SHA1
4c3c0d106e4f5da0445705c48ca8ce69caa05801

SHA256
d7c6aa75d32b2537a33a87b9d514e24771634b047a3614ef8404113f71df1180

SHA512
9c83c73faaed3bc5332279170b04ca3d1a26b6c262c4a35eedcbc4ea416d334e4ef77788b51c4bd5bee7c15fb638c65f6447133322763f5f80b54069339c4c3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBC89.tmp

Filesize
676B

MD5
905596f13e33217d256316dc07e47bbe

SHA1
52497869f528a41ee9632ae396ef3d781348fee1

SHA256
969d719fb66631d74657c12567adf4ed82fae0945c6ce32779901d334aa9dbdb

SHA512
6d3a10cbd4218f1ff61ea1f5148124543520826e140b65221530d0158bca8776cda31faff601a2714aea5422bd184f88d0bf5c6c7326e5b2ca9c7455879f13c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ieyfkg-9.0.cs

Filesize
208KB

MD5
e87ba4fbfc2724053e657b11c1149ce6

SHA1
f3fdeffc2da0eab5f81f6e8a20d7da8ffc740fe6

SHA256
626b8a7d97e47d1a612f8a717297aed3d2b3476a96a87107b8995c6a1b93d511

SHA512
f93c543fbd35c2f033b99348d2fe562e42f350a54d269352d21b502dff4e6d5b73099128bba23afa8feb4be3ad83888ac8806bb75492a2cedf9cadd26f39dab4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ieyfkg-9.cmdline

Filesize
349B

MD5
67745d6e86034bdb00025424a7070782

SHA1
5a50eb36c388fead73f7f472271e7d2937355111

SHA256
bdd98bc8f9d7f930c9ff1a053291c450f61de30e223972c988249062b2a8ce02

SHA512
5a1105617c9c2f13dc8bf80f1db023d2e03cde3290c0194dd83571f80ca35ba4feb84358518547371eb757dc296c09c08d1d3382717b5f1e4581e108d838cd4b

Download Submit
memory/212-19-0x00007FFE162F0000-0x00007FFE16C91000-memory.dmp

Filesize
9.6MB

Download
memory/212-16-0x00007FFE162F0000-0x00007FFE16C91000-memory.dmp

Filesize
9.6MB

Download
memory/1188-5-0x000000001C130000-0x000000001C5FE000-memory.dmp

Filesize
4.8MB

Download
memory/1188-21-0x000000001C740000-0x000000001C756000-memory.dmp

Filesize
88KB

Download
memory/1188-0-0x00007FFE165A5000-0x00007FFE165A6000-memory.dmp

Filesize
4KB

Download
memory/1188-4-0x00007FFE162F0000-0x00007FFE16C91000-memory.dmp

Filesize
9.6MB

Download
memory/1188-3-0x000000001B780000-0x000000001B78E000-memory.dmp

Filesize
56KB

Download
memory/1188-2-0x000000001B7D0000-0x000000001B82C000-memory.dmp

Filesize
368KB

Download
memory/1188-1-0x00007FFE162F0000-0x00007FFE16C91000-memory.dmp

Filesize
9.6MB

Download
memory/1188-6-0x000000001C6A0000-0x000000001C73C000-memory.dmp

Filesize
624KB

Download
memory/1188-23-0x000000001B930000-0x000000001B942000-memory.dmp

Filesize
72KB

Download
memory/1188-24-0x000000001B910000-0x000000001B91A000-memory.dmp

Filesize
40KB

Download
memory/1188-25-0x000000001CC40000-0x000000001CC48000-memory.dmp

Filesize
32KB

Download
memory/1188-26-0x000000001B900000-0x000000001B908000-memory.dmp

Filesize
32KB

Download
memory/1188-27-0x00007FFE162F0000-0x00007FFE16C91000-memory.dmp

Filesize
9.6MB

Download
memory/1188-29-0x00007FFE162F0000-0x00007FFE16C91000-memory.dmp

Filesize
9.6MB

Download