Analysis
-
max time kernel
1s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-02-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
DisableWD.bat
Resource
win10v2004-20240226-en
General
-
Target
DisableWD.bat
-
Size
4KB
-
MD5
ceff74da4426916b94e3e84128e4330d
-
SHA1
8030955eef7770ddc988c9c605cff09e2d5fba2f
-
SHA256
d1e66cf40dac430e08836de4a4408d9b00393b552046fd7a1c697bcb92162121
-
SHA512
f8e89bf283cd8ab9deeeb091eaf7529cbae12e9e3b07efe6d1f8010569489262dcb4c72fdbbe46f0affd460a9c0a2dd2be6565d88fa34df297718155314111e4
-
SSDEEP
96:EBXITdcWyWVmWIW+Wn2m9HlMfCcI2B37tmSemS+qaWfmFWryYz8J8wLQLn6FP6Z:97V/9XfjmSzn
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2984 takeown.exe 3060 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2984 takeown.exe 3060 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\system32\smartscreen.exe.revi cmd.exe File opened for modification C:\Windows\system32\smartscreen.exe.revi cmd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1532 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2512 powershell.exe 2512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetaskkill.exetakeown.exedescription pid process Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeTakeOwnershipPrivilege 2984 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1376 wrote to memory of 2512 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2512 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 884 1376 cmd.exe reg.exe PID 1376 wrote to memory of 884 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3724 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3724 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1692 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1692 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3668 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3668 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2828 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2828 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4884 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4884 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2824 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2824 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3680 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3680 1376 cmd.exe reg.exe PID 1376 wrote to memory of 560 1376 cmd.exe reg.exe PID 1376 wrote to memory of 560 1376 cmd.exe reg.exe PID 1376 wrote to memory of 424 1376 cmd.exe reg.exe PID 1376 wrote to memory of 424 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4580 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4580 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3024 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3024 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1048 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1048 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3644 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3644 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4132 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4132 1376 cmd.exe reg.exe PID 1376 wrote to memory of 816 1376 cmd.exe reg.exe PID 1376 wrote to memory of 816 1376 cmd.exe reg.exe PID 1376 wrote to memory of 344 1376 cmd.exe cmd.exe PID 1376 wrote to memory of 344 1376 cmd.exe cmd.exe PID 344 wrote to memory of 4396 344 cmd.exe reg.exe PID 344 wrote to memory of 4396 344 cmd.exe reg.exe PID 344 wrote to memory of 540 344 cmd.exe find.exe PID 344 wrote to memory of 540 344 cmd.exe find.exe PID 1376 wrote to memory of 1532 1376 cmd.exe taskkill.exe PID 1376 wrote to memory of 1532 1376 cmd.exe taskkill.exe PID 1376 wrote to memory of 2984 1376 cmd.exe takeown.exe PID 1376 wrote to memory of 2984 1376 cmd.exe takeown.exe PID 1376 wrote to memory of 3060 1376 cmd.exe icacls.exe PID 1376 wrote to memory of 3060 1376 cmd.exe icacls.exe PID 1376 wrote to memory of 4288 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4288 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4016 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4016 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2484 1376 cmd.exe reg.exe PID 1376 wrote to memory of 2484 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4052 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4052 1376 cmd.exe reg.exe PID 1376 wrote to memory of 236 1376 cmd.exe reg.exe PID 1376 wrote to memory of 236 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4588 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4588 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4572 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4572 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4004 1376 cmd.exe reg.exe PID 1376 wrote to memory of 4004 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3348 1376 cmd.exe reg.exe PID 1376 wrote to memory of 3348 1376 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DisableWD.bat"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NonInteractive -NoLogo -NoProfile -C "Set-MpPreference -DisableRealtimeMonitoring 1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecCore" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:884
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3724
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecWfp" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1692
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3668
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2828
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4884
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2824
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3680
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:560
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:424
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:4580
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:3024
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1048
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3644
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4132
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2>nul | find /i "webthreatdefusersvc"2⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f3⤵PID:4396
-
-
C:\Windows\system32\find.exefind /i "webthreatdefusersvc"3⤵PID:540
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im smartscreen.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\smartscreen.exe" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /grant Administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3060
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:4288
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:4016
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:2484
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:4052
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:236
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:4588
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:4572
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:4004
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:3348
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f2⤵PID:1844
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f2⤵PID:2428
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Control\CI\Config" /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d "0" /f2⤵PID:1536
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82