ebba736dfa26b559658df13cda55e2aef8cf744c05f817396ef1d3b17870a83e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DefenderRemover.exe
Size

664KB
MD5

7a3e43c2971746c84d32f8a448823673
SHA1

08b75724c68f25ac831ba2c7508f18bf3a398c9f
SHA256

c7bdcebe60356900dc4b4f8bc8b75acc1536df33ae7a1049bfa27192b8c62d0a
SHA512

702ea07e5377387cf938554c8fab55847cc72e06997f318099940db2b0af7d06acf326be3699569b65a9a265e617cab13c2930614bc3a0cb2e02ee82fd79c8f5
SSDEEP

12288:u1OgLda0ZjpVxCSDrqzU7rOv/O6/NH90u9KIyburq6fAdAYmyw:u1OYdaypVxCiIO6/LXEYr8dAByw

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DefenderRemover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1804	4748	DefenderRemover.exe	83
PID 4748 wrote to memory of 1804	4748	DefenderRemover.exe	83
PID 4748 wrote to memory of 1804	4748	DefenderRemover.exe	83

C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe
"C:\Users\Admin\AppData\Local\Temp\DefenderRemover.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\Script_Run.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSD60D.tmp\Script_Run.bat

Filesize
5KB

MD5
cb6ba01b02a759691ccce25812a01fbe

SHA1
3dc6450d1d0d92b34a8bbf891d5895d916dfa286

SHA256
7799b4f070f70a1ba829e49dadbb4708a632d8db41510828b50b8826a669b6c3

SHA512
871b05706dd8e9de355873236a592621e2a5dfca694154d2c86411499d0b2300cc6cfc7c62a8dd998ef901934349d725d34405250d6cbca49f9c9e63b316b126

Download Submit