Overview

overview

10

Static

static

10

4b5d342b8c...86.exe

windows7-x64

9

4b5d342b8c...86.exe

windows10-2004-x64

9

4bb452a3de...a3.exe

windows7-x64

10

4bb452a3de...a3.exe

windows10-2004-x64

7

4bbf1f33d0...4d.exe

windows7-x64

8

4bbf1f33d0...4d.exe

windows10-2004-x64

8

4bc17871c1...64.exe

windows7-x64

10

4bc17871c1...64.exe

windows10-2004-x64

10

4be84836f6...c8.exe

windows7-x64

10

4be84836f6...c8.exe

windows10-2004-x64

10

4c2f38b994...d5.exe

windows7-x64

10

4c2f38b994...d5.exe

windows10-2004-x64

10

4c948e4226...26.exe

windows7-x64

10

4c948e4226...26.exe

windows10-2004-x64

10

4ca1d61a24...2e.exe

windows7-x64

10

4ca1d61a24...2e.exe

windows10-2004-x64

10

4cc3e6fe69...22.exe

windows7-x64

10

4cc3e6fe69...22.exe

windows10-2004-x64

10

4cf9706999...8e.exe

windows7-x64

10

4cf9706999...8e.exe

windows10-2004-x64

10

4d8cd82fa6...d5.exe

windows7-x64

10

4d8cd82fa6...d5.exe

windows10-2004-x64

10

4d947659fe...19.exe

windows7-x64

10

4d947659fe...19.exe

windows10-2004-x64

10

4dac62ad00...ec.exe

windows7-x64

10

4dac62ad00...ec.exe

windows10-2004-x64

10

4dde57eed0...7b.exe

windows7-x64

10

4dde57eed0...7b.exe

windows10-2004-x64

10

4e1fdde317...d3.exe

windows7-x64

10

4e1fdde317...d3.exe

windows10-2004-x64

10

4e248cce2f...a7.exe

windows7-x64

10

4e248cce2f...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bc17871c10bb28c4e2b5e2f1d9e4664.exe

  • Size

    28KB

  • MD5

    4bc17871c10bb28c4e2b5e2f1d9e4664

  • SHA1

    d6d80515426201c41e12f04fe8ec7f8c0f54b85a

  • SHA256

    9174ac9bc0d3b5cc062f11c6b97f7a92f9e117b77fe4cbc148ca40e7cb99d302

  • SHA512

    2ba6f62b059e59339bf62dfc7e6cb439f7a64904cc6065294c20c71ecec86e8b215075069bbda4171d001881489382eb7809801cb2dfc280f8f483429a99e5bd

  • SSDEEP

    768:GEHTMg84YFnOVMSloeM41v1WbVgkgm3HrQQ:GEHQg84ofSxCekX3R

Score
10/10
defense_evasionevasiontrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bc17871c10bb28c4e2b5e2f1d9e4664.exe
    "C:\Users\Admin\AppData\Local\Temp\4bc17871c10bb28c4e2b5e2f1d9e4664.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      PID:4664
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer /v SmartScreenEnabled /t REG_SZ /d Off /f
      2⤵
      • Modifies registry key
      PID:4688
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:3416
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
      2⤵
      • Modifies Windows Defender notification settings
      PID:4824
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
      2⤵
        PID:4876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbuscsqg.hlf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      2KB

      MD5

      06c0903581c8a8a6e4b50f5983cfc660

      SHA1

      042a94f3dbafd5c01d2bbad8f63c49ced0d4e913

      SHA256

      fb27110a5dd9b7c46375c1365fe3cbf1479081d337fbc93dce831a1fa3b9b1dd

      SHA512

      0d4841e894276892c9eba03ba9363f7a90228b01e70fb61fd880f56e48d7ccdbff9f05bc24edd4ce80de1df1951caf775c88011d2607a3bea44a49dc0d2a08f5

      Download Submit

    • memory/4068-1-0x00000000007F0000-0x00000000007FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4068-0-0x00007FFA57A63000-0x00007FFA57A65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4068-11-0x0000000001290000-0x00000000012B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4068-12-0x00007FFA57A60000-0x00007FFA58521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4068-59-0x000000001B6A0000-0x000000001B6BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4068-58-0x000000001B560000-0x000000001B56E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4068-60-0x00007FFA57A60000-0x00007FFA58521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4068-62-0x00007FFA57A60000-0x00007FFA58521000-memory.dmp

      Filesize

      10.8MB

      Download