080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9

General

Target

080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe
Size

52KB
MD5

950449f7a3f9040c2326ddcc73776b5e
SHA1

b1045033d3ef88c60aad4c128a6292820258cadf
SHA256

080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9
SHA512

90433ef9539495ef4de10420c12d8cfae511db057957a869f72cc5a8fff0bcf9ff3a08cd2afd2389f30d7b3a10bd6561e4e602b470f8e47072568f51acbd5755

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9 = "c:\\windows\\080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe -m"	080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies service 2 TTPs 41 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000005c004400650076006900630065005c007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000005c004400650076006900630065005c007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d0000005c004400650076006900630065005c007b00390036003300380034004200300045002d0031004200450031002d0034003700350036002d0038003000350034002d004400300036004600420046004500350043003500310035007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{DB53ED64-5F12-4CA4-9B8F-ADA75547631C}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{DB53ED64-5F12-4CA4-9B8F-ADA75547631C}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{2DA5E348-0B54-497B-9F96-C8948775E3C9}	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\Parameters\MiniportsInstalled = "65535"	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Export = 5c004400650076006900630065005c00770061006e006100720070005f007b00440042003500330045004400360034002d0035004600310032002d0034004300410034002d0039004200380046002d004100440041003700350035003400370036003300310043007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Bind = 5c004400650076006900630065005c007b00440042003500330045004400360034002d0035004600310032002d0034004300410034002d0039004200380046002d004100440041003700350035003400370036003300310043007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d002200000022007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{BE50C3B6-16C0-43A6-BA3E-E7D010D7A11D}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{DB53ED64-5F12-4CA4-9B8F-ADA75547631C}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Export = 5c004400650076006900630065005c00770061006e00610072007000760036005f007b00420045003500300043003300420036002d0031003600430030002d0034003300410036002d0042004100330045002d004500370044003000310030004400370041003100310044007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{BE50C3B6-16C0-43A6-BA3E-E7D010D7A11D}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00390036003300380034004200300045002d0031004200450031002d0034003700350036002d0038003000350034002d004400300036004600420046004500350043003500310035007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d002200000022007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d002200000022007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d002200000022007b00390036003300380034004200300045002d0031004200450031002d0034003700350036002d0038003000350034002d004400300036004600420046004500350043003500310035007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{DB53ED64-5F12-4CA4-9B8F-ADA75547631C}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{BE50C3B6-16C0-43A6-BA3E-E7D010D7A11D}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{2DA5E348-0B54-497B-9F96-C8948775E3C9}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{2DA5E348-0B54-497B-9F96-C8948775E3C9}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Bind = 5c004400650076006900630065005c007b00420045003500300043003300420036002d0031003600430030002d0034003300410036002d0042004100330045002d004500370044003000310030004400370041003100310044007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00390036003300380034004200300045002d0031004200450031002d0034003700350036002d0038003000350034002d004400300036004600420046004500350043003500310035007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00430039004200440031004300430043002d0031003400460031002d0034003500380033002d0038004100390042002d003000300043003900450034003400310035004200420046007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000005c004400650076006900630065005c007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d0000005c004400650076006900630065005c007b00390036003300380034004200300045002d0031004200450031002d0034003700350036002d0038003000350034002d004400300036004600420046004500350043003500310035007d0000005c004400650076006900630065005c007b00430039004200440031004300430043002d0031003400460031002d0034003500380033002d0038004100390042002d003000300043003900450034003400310035004200420046007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Route = 22007b00440042003500330045004400360034002d0035004600310032002d0034004300410034002d0039004200380046002d004100440041003700350035003400370036003300310043007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d002200000022007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d002200000022007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00370045003200350037003600440044002d0036004600410036002d0034004600410035002d0038003600340046002d003600460036003900300038004300310036004200370032007d002200000022007b00330041003200440032003200360032002d0042003300330034002d0034003600410037002d0041004300350034002d003400350044003500450033003000420032004300350037007d002200000022007b00440031003500450044003700380046002d0030003400370030002d0034003800390042002d0039003100340042002d004400410038004300330033003300330037004200410030007d002200000022007b00390036003300380034004200300045002d0031004200450031002d0034003700350036002d0038003000350034002d004400300036004600420046004500350043003500310035007d002200000022007b00430039004200440031004300430043002d0031003400460031002d0034003500380033002d0038004100390042002d003000300043003900450034003400310035004200420046007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Route = 22007b00420045003500300043003300420036002d0031003600430030002d0034003300410036002d0042004100330045002d004500370044003000310030004400370041003100310044007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{BE50C3B6-16C0-43A6-BA3E-E7D010D7A11D}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{2DA5E348-0B54-497B-9F96-C8948775E3C9}	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exesvchost.exe

description	ioc	process
File created	\??\c:\windows\080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe	080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe
File opened for modification	\??\c:\windows\080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe	080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
624

pid
4
4
4
4
4
624

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2700	svchost.exe
Token: SeCreatePagefilePrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe
Token: SeLoadDriverPrivilege	2700	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

pid process

756 080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

pid process

756 080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

pid	process
756	080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

pid	process
756	080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe

C:\Users\Admin\AppData\Local\Temp\080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe
"C:\Users\Admin\AppData\Local\Temp\080d08c313d734957783069a36fcab4160ab9ae212b861ba8b0d241d07777be9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:756

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:2408

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2484

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Modifies service
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
- Modifies service
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\netrasa.PNF
MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF
MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads