Analysis
-
max time kernel
4s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
DisableWD.bat
Resource
win10v2004-20240226-en
General
-
Target
DisableWD.bat
-
Size
4KB
-
MD5
ceff74da4426916b94e3e84128e4330d
-
SHA1
8030955eef7770ddc988c9c605cff09e2d5fba2f
-
SHA256
d1e66cf40dac430e08836de4a4408d9b00393b552046fd7a1c697bcb92162121
-
SHA512
f8e89bf283cd8ab9deeeb091eaf7529cbae12e9e3b07efe6d1f8010569489262dcb4c72fdbbe46f0affd460a9c0a2dd2be6565d88fa34df297718155314111e4
-
SSDEEP
96:EBXITdcWyWVmWIW+Wn2m9HlMfCcI2B37tmSemS+qaWfmFWryYz8J8wLQLn6FP6Z:97V/9XfjmSzn
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2532 takeown.exe 2308 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2532 takeown.exe 2308 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\system32\smartscreen.exe.revi cmd.exe File opened for modification C:\Windows\system32\smartscreen.exe.revi cmd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1504 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4800 powershell.exe 4800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetaskkill.exetakeown.exedescription pid process Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeTakeOwnershipPrivilege 2532 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 864 wrote to memory of 4800 864 cmd.exe powershell.exe PID 864 wrote to memory of 4800 864 cmd.exe powershell.exe PID 864 wrote to memory of 2756 864 cmd.exe reg.exe PID 864 wrote to memory of 2756 864 cmd.exe reg.exe PID 864 wrote to memory of 1936 864 cmd.exe reg.exe PID 864 wrote to memory of 1936 864 cmd.exe reg.exe PID 864 wrote to memory of 3480 864 cmd.exe reg.exe PID 864 wrote to memory of 3480 864 cmd.exe reg.exe PID 864 wrote to memory of 4480 864 cmd.exe reg.exe PID 864 wrote to memory of 4480 864 cmd.exe reg.exe PID 864 wrote to memory of 2964 864 cmd.exe reg.exe PID 864 wrote to memory of 2964 864 cmd.exe reg.exe PID 864 wrote to memory of 2268 864 cmd.exe reg.exe PID 864 wrote to memory of 2268 864 cmd.exe reg.exe PID 864 wrote to memory of 3364 864 cmd.exe reg.exe PID 864 wrote to memory of 3364 864 cmd.exe reg.exe PID 864 wrote to memory of 1420 864 cmd.exe reg.exe PID 864 wrote to memory of 1420 864 cmd.exe reg.exe PID 864 wrote to memory of 4748 864 cmd.exe reg.exe PID 864 wrote to memory of 4748 864 cmd.exe reg.exe PID 864 wrote to memory of 2956 864 cmd.exe reg.exe PID 864 wrote to memory of 2956 864 cmd.exe reg.exe PID 864 wrote to memory of 3472 864 cmd.exe reg.exe PID 864 wrote to memory of 3472 864 cmd.exe reg.exe PID 864 wrote to memory of 1840 864 cmd.exe reg.exe PID 864 wrote to memory of 1840 864 cmd.exe reg.exe PID 864 wrote to memory of 816 864 cmd.exe reg.exe PID 864 wrote to memory of 816 864 cmd.exe reg.exe PID 864 wrote to memory of 1788 864 cmd.exe reg.exe PID 864 wrote to memory of 1788 864 cmd.exe reg.exe PID 864 wrote to memory of 2692 864 cmd.exe reg.exe PID 864 wrote to memory of 2692 864 cmd.exe reg.exe PID 864 wrote to memory of 1468 864 cmd.exe reg.exe PID 864 wrote to memory of 1468 864 cmd.exe reg.exe PID 864 wrote to memory of 4484 864 cmd.exe cmd.exe PID 864 wrote to memory of 4484 864 cmd.exe cmd.exe PID 4484 wrote to memory of 4600 4484 cmd.exe reg.exe PID 4484 wrote to memory of 4600 4484 cmd.exe reg.exe PID 4484 wrote to memory of 3964 4484 cmd.exe find.exe PID 4484 wrote to memory of 3964 4484 cmd.exe find.exe PID 864 wrote to memory of 1504 864 cmd.exe taskkill.exe PID 864 wrote to memory of 1504 864 cmd.exe taskkill.exe PID 864 wrote to memory of 2532 864 cmd.exe takeown.exe PID 864 wrote to memory of 2532 864 cmd.exe takeown.exe PID 864 wrote to memory of 2308 864 cmd.exe icacls.exe PID 864 wrote to memory of 2308 864 cmd.exe icacls.exe PID 864 wrote to memory of 1344 864 cmd.exe reg.exe PID 864 wrote to memory of 1344 864 cmd.exe reg.exe PID 864 wrote to memory of 2644 864 cmd.exe reg.exe PID 864 wrote to memory of 2644 864 cmd.exe reg.exe PID 864 wrote to memory of 2248 864 cmd.exe reg.exe PID 864 wrote to memory of 2248 864 cmd.exe reg.exe PID 864 wrote to memory of 4388 864 cmd.exe reg.exe PID 864 wrote to memory of 4388 864 cmd.exe reg.exe PID 864 wrote to memory of 1292 864 cmd.exe reg.exe PID 864 wrote to memory of 1292 864 cmd.exe reg.exe PID 864 wrote to memory of 2712 864 cmd.exe reg.exe PID 864 wrote to memory of 2712 864 cmd.exe reg.exe PID 864 wrote to memory of 3396 864 cmd.exe reg.exe PID 864 wrote to memory of 3396 864 cmd.exe reg.exe PID 864 wrote to memory of 3304 864 cmd.exe reg.exe PID 864 wrote to memory of 3304 864 cmd.exe reg.exe PID 864 wrote to memory of 1644 864 cmd.exe reg.exe PID 864 wrote to memory of 1644 864 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DisableWD.bat"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NonInteractive -NoLogo -NoProfile -C "Set-MpPreference -DisableRealtimeMonitoring 1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecCore" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2756
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1936
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecWfp" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3480
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4480
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2964
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2268
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3364
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1420
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4748
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2956
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3472
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:1840
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:816
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1788
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2692
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2>nul | find /i "webthreatdefusersvc"2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f3⤵PID:4600
-
-
C:\Windows\system32\find.exefind /i "webthreatdefusersvc"3⤵PID:3964
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im smartscreen.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\smartscreen.exe" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /grant Administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2308
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:1344
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:2644
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:2248
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:4388
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:1292
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2712
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:3396
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:3304
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:1644
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f2⤵PID:564
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f2⤵PID:1236
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Control\CI\Config" /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d "0" /f2⤵PID:768
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82