Suspicious .reg File - Batch Worm Hidden in Zip, Defender & Firewall Disabled | LetsDefend SOC117
Day 111 of Becoming a SOC Analyst — SOC117 Suspicious .reg File (True Positive)
config.reg triggered the alert on host Aldo (172.16.17.51) but returned clean on VirusTotal — manual analysis of the password-protected archive revealed the real payload: importantUpdate.bat, a worm confirmed malicious on VT. The batch script created a persistent Windows service named DaMonki, added a registry run key, disabled both Windows Defender and Windows Firewall, and attempted lateral movement by copying itself into network-accessible startup folders and infecting .bat files under C:\Users. Device action was blocked and delivery vector remains unknown — no email headers or HTTP download artefacts identified in logs.
🔬 Analysis Reports
🦠 VirusTotal (importantUpdate.bat) → https://www.virustotal.com/gui/file/f...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
00:00 Day 111 intro
00:32 Alert Details
01:00 Investigation
05:10 Playbook Answers
09:10 5w Log
12:40 Result
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #Worm #BatchScript #RegistryPersistence #DefenseEvasion #LateralMovement #IncidentResponse #SIEM #Day111 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity