VBS Downloader and Defender Control

An attacker logged into the honeypot and ran a batch file that created a vbs script that attempted to download a possible coin miner. The download was blocked by the content filtering system but the attacker seemed to think Defender blocked it. The attacker then downloaded an application named Defender Control to turn off Defender. See the timeline, details, and IOCs below.

4:28 – Attacker logs in from 200.219.222[.]205

4:29 – A batch file was copied to the system and then run.

VirusTotal score for the batch file. I’m testing an EDR solution right now in this environment and it didn’t alert on this download activity. I would recommend building a detection for this if you don’t already have one.

A possible detection would be cscript + .vbs if its not common in your environment. If it is, you can extend the rule to include http/https. You should really be monitoring anytime Windows Script Host is used (if you can’t disable it), especially if it or a child process downloads something from the internet. Multiple threat actors (FIN7 ,MuddyWater , etc) have used this technique which is referenced by MITRE as Scripting – T1064.

Sysmon logs showing the attempted download and execution of setup.exe

Unfortunately for the attacker this download url is known to deliver malware and because of that it was blocked by the content filtering system. The attacker dropped another copy of the same bat file and attempted the execution again. Download failed again.

4:30 – The attacker then dropped a tool named Defender Control. This makes me 🙂 The attacker was logged in as Administrator and could have easily turned it off without this.

VirusTotal score for Defender Control

4:33 – Defender Control was quarantined by Defender and is referenced as HackTool:Win32/DefenderControl.

4:34 – Attacker logs off

Sandbox Analysis – setup.exe

Here’s the sandbox run of the setup.exe executable that would have been downloaded and run if the content filtering system didn’t block it. This exe removes a service (if its there) then creates a new service to maintain persistence.

After the service is running it then calls back to on a high port.

setup.exe then calls tor.exe and makes numerous encrypted connections over Tor nodes.

This is a process graph of the setup.exe execution.

For the full Any.Run sandbox run – Click Here


IOCs can be found in MISP at UUID 5e33608b-9604-494a-b9b7-4fa6950d210f

IOCs can also be found on OTX here

Leave a Reply