7dae966a4f5f9f27f780bd28a8c4fc79f1a3d7e12cfc988052d27e3dd5136bb5

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	regedit.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe

Modifies Security services 2 TTPs 1 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	regedit.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	regedit.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\PreventOverride = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2528	regedit.exe

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\EnableActivationConfig.reg"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Modifies security service
- UAC bypass
- Modifies Security services
- Modifies Internet Explorer Phishing Filter
- Modifies registry class
- Runs .reg file with regedit
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control