Overview

overview

10

Static

static

10

Defender.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Defender.exe

  • Size

    101.7MB

  • Sample

    241124-ttnrkaxph1

  • MD5

    4639f7017af991701fff3d146503e89a

  • SHA1

    fa01f0919cfcc14ce13f10ef788525117f7972da

  • SHA256

    9aba31cd70bb74c0a15d8776f6f513680447a6982eb9f0a56bb0d1e12bba8428

  • SHA512

    62d77a2396abe0b8de36537d13524f1d098e6bde1cbc574900a1c2c470e9ab902d63d332669586d9b4f2a4fefe9e7da4f9a53b5644a79eb28db53e90c35f9408

  • SSDEEP

    3145728:U4i5r79S6xjKcBaNJ2qHO5i29enGUDd+mA28NFnmSkkr8:Ap5SWNaNPHCi2uzA28NxF

Score
10/10
pysilonevasionexecutionpersistencepyinstaller

Malware Config

Targets

    • Target

      Defender.exe

    • Size

      101.7MB

    • MD5

      4639f7017af991701fff3d146503e89a

    • SHA1

      fa01f0919cfcc14ce13f10ef788525117f7972da

    • SHA256

      9aba31cd70bb74c0a15d8776f6f513680447a6982eb9f0a56bb0d1e12bba8428

    • SHA512

      62d77a2396abe0b8de36537d13524f1d098e6bde1cbc574900a1c2c470e9ab902d63d332669586d9b4f2a4fefe9e7da4f9a53b5644a79eb28db53e90c35f9408

    • SSDEEP

      3145728:U4i5r79S6xjKcBaNJ2qHO5i29enGUDd+mA28NFnmSkkr8:Ap5SWNaNPHCi2uzA28NxF

    Score
    9/10
    evasionexecutionpersistence

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks