4f324d70e644a475590df9afe96af874216c5aeae048a8f9fe67e204accefff9

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 13:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

禁用系统自动更新.bat
Size

181B
MD5

8fcf5a19fa50679d310d01b962e667f2
SHA1

40bd8dc501fdf8fcd480d5322cdadbffc45551a3
SHA256

4f324d70e644a475590df9afe96af874216c5aeae048a8f9fe67e204accefff9
SHA512

cd8de4ca2507e1f1f345d1a6f4106ab4ed0892a89361d33a36810b447bd3273349009a5cb74455cfd108b736bf89f8b5e24db46fc7380a6527db540e647b70b9

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2556	sc.exe

Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2028	1932	cmd.exe	29
PID 1932 wrote to memory of 2028	1932	cmd.exe	29
PID 1932 wrote to memory of 2028	1932	cmd.exe	29
PID 2028 wrote to memory of 1952	2028	net.exe	30
PID 2028 wrote to memory of 1952	2028	net.exe	30
PID 2028 wrote to memory of 1952	2028	net.exe	30
PID 1932 wrote to memory of 2556	1932	cmd.exe	31
PID 1932 wrote to memory of 2556	1932	cmd.exe	31
PID 1932 wrote to memory of 2556	1932	cmd.exe	31
PID 1932 wrote to memory of 2120	1932	cmd.exe	32
PID 1932 wrote to memory of 2120	1932	cmd.exe	32
PID 1932 wrote to memory of 2120	1932	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\禁用系统自动更新.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\net.exe
  net stop wuauserv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop wuauserv
    3⤵
    PID:1952
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:2556
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAUShutdownOption /t REG_DWORD /d 1 /f
  2⤵
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads