ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2

General

Target

ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe
Size

50KB
MD5

745ded2f0c2c9b07ca67542af6bdd031
SHA1

43b9140d519c05bf0ff413d0bba1a90a03a132e2
SHA256

ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2
SHA512

f628aa8bc831e46291d7b76ae59ebd650fff694ecb0254ebd7a05452bbf2f32d5552775c981563f2de28396f341a5aac3cc73a5701a55f7ad8a849926b38df20

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2 = "c:\\windows\\ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe -m"	ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies service 2 TTPs 41 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{D42124DA-0B26-49D5-90BB-B3A9405C8B6D}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{9C670355-320B-4636-AA01-A549A6511549}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{9C670355-320B-4636-AA01-A549A6511549}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000005c004400650076006900630065005c007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000005c004400650076006900630065005c007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d0000005c004400650076006900630065005c007b00330038003400300039003800390030002d0046003200350045002d0034003000320038002d0038003200420045002d003500430046003500390046003700350036004100300033007d0000005c004400650076006900630065005c007b00300043003200340036004200300039002d0039003200420032002d0034004100390039002d0041004600300041002d003600460030003500380032003200390041004300310030007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d002200000022007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d002200000022007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d002200000022007b00330038003400300039003800390030002d0046003200350045002d0034003000320038002d0038003200420045002d003500430046003500390046003700350036004100300033007d002200000022007b00300043003200340036004200300039002d0039003200420032002d0034004100390039002d0041004600300041002d003600460030003500380032003200390041004300310030007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{5967E635-6631-4877-BD99-EB97DC7D7ACF}	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{5967E635-6631-4877-BD99-EB97DC7D7ACF}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d002200000022007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d002200000022007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d002200000022007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d002200000022007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d002200000022007b00330038003400300039003800390030002d0046003200350045002d0034003000320038002d0038003200420045002d003500430046003500390046003700350036004100300033007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{5967E635-6631-4877-BD99-EB97DC7D7ACF}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Bind = 5c004400650076006900630065005c007b00350039003600370045003600330035002d0036003600330031002d0034003800370037002d0042004400390039002d004500420039003700440043003700440037004100430046007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{9C670355-320B-4636-AA01-A549A6511549}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{D42124DA-0B26-49D5-90BB-B3A9405C8B6D}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{D42124DA-0B26-49D5-90BB-B3A9405C8B6D}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Route = 22007b00350039003600370045003600330035002d0036003600330031002d0034003800370037002d0042004400390039002d004500420039003700440043003700440037004100430046007d00220000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Route = 22007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d002200000022007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00330038003400300039003800390030002d0046003200350045002d0034003000320038002d0038003200420045002d003500430046003500390046003700350036004100300033007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00300043003200340036004200300039002d0039003200420032002d0034004100390039002d0041004600300041002d003600460030003500380032003200390041004300310030007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters\{9C670355-320B-4636-AA01-A549A6511549}\{3BFD7820-D65C-4C1B-9FEA-983A019639EA}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000005c004400650076006900630065005c007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d0000005c004400650076006900630065005c007b00330038003400300039003800390030002d0046003200350045002d0034003000320038002d0038003200420045002d003500430046003500390046003700350036004100300033007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WFPLWFS\Parameters\Adapters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{D42124DA-0B26-49D5-90BB-B3A9405C8B6D}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarpv6\Linkage\Export = 5c004400650076006900630065005c00770061006e00610072007000760036005f007b00350039003600370045003600330035002d0036003600330031002d0034003800370037002d0042004400390039002d004500420039003700440043003700440037004100430046007d0000000000	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{5967E635-6631-4877-BD99-EB97DC7D7ACF}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Bind = 5c004400650076006900630065005c007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000000000	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RasMan\Parameters\MiniportsInstalled = "65535"	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Route = 22007b00440034003200310032003400440041002d0030004200320036002d0034003900440035002d0039003000420042002d004200330041003900340030003500430038004200360044007d00220000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Bind = 5c004400650076006900630065005c007b00440034003200310032003400440041002d0030004200320036002d0034003900440035002d0039003000420042002d004200330041003900340030003500430038004200360044007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisWan\Linkage\Export = 5c004400650076006900630065005c004e00640069007300570061006e005f007b00350035003900300041004600360035002d0036003900350034002d0034004600380034002d0039003600360044002d003900430041004600370042003600320031003900450037007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00460042003500310042004300440031002d0042003500330035002d0034003600340039002d0039003200310037002d003100310043003400390030004200460045004100340033007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00440033003600330033003800300036002d0032003100320033002d0034004300440044002d0039004500380036002d003200350031003300300042004400310043004100410043007d0000005c004400650076006900630065005c004e00640069007300570061006e005f007b00330038003400300039003800390030002d0046003200350045002d0034003000320038002d0038003200420045002d003500430046003500390046003700350036004100300033007d0000000000	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\Linkage\Export = 5c004400650076006900630065005c00770061006e006100720070005f007b00440034003200310032003400440041002d0030004200320036002d0034003900440035002d0039003000420042002d004200330041003900340030003500430038004200360044007d0000000000	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exesvchost.exesvchost.exe

description	ioc	process
File created	\??\c:\windows\ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe	ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe
File opened for modification	\??\c:\windows\ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe	ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
612

pid
4
4
4
4
4
612

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1772	svchost.exe
Token: SeCreatePagefilePrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe
Token: SeLoadDriverPrivilege	1772	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

pid process

500 ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

pid process

500 ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

pid	process
500	ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

pid	process
500	ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe

C:\Users\Admin\AppData\Local\Temp\ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe
"C:\Users\Admin\AppData\Local\Temp\ae4cc675f5090aa1c90f406f508b71c960c3541a5fe8a01be3b1d3547c7c9ae2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:500

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:688

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Modifies service
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1772

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
- Modifies service
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\netrasa.PNF
MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF
MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads