Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-de -
resource tags
arch:x64arch:x86image:win10v2004-20230703-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
19/08/2023, 21:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
destroy.exe
Resource
win10v2004-20230703-de
windows10-2004-x64
7 signatures
1800 seconds
General
-
Target
destroy.exe
-
Size
1.2MB
-
MD5
e158a46ff5953819ae7d2dec7be5e320
-
SHA1
e41de85d2030c374d91ab394deb9cfc5125e8a57
-
SHA256
25e9a920e26c0649fa67cd6077c90a448ab6f852a69e509922531a3f87bc9cf2
-
SHA512
b98d8053128e3fd9fb6dfaf2213b1cc91580594ee7d5c0c3bdcaaaa45c0dfd7e22acc6a3d07402ba6b0ace9ebe783efdeff7413362c88736c557f4f1077b4f26
-
SSDEEP
24576:zdofGAmSIQ177wZ+A7MjiiRDXU/Sat5RgsLSmIOHsU5zMmX1xYwncqKvGq9TV:zdofGbSIQ177wZvYjiiRDXASat5RgsLG
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v2.0.50727_32-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\vmicvss-block-in = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PolicyAgent-4 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PeerDist Allow WSD Out = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\AssignedAccessManagerSvc-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DisplayEnhancementService Deny All Inbound = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\SNMPTRAP-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DHCP-1 = "0x00FF00" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PnrpAuto Block In = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{558988F5-0234-4DAD-B6BB-18CD6CA8CF2D} = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\SearchIndexer-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Wcmsvc-NTP Allow OUT = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\vmicheartbeat-allow-in = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PerfHost-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\HomeGroup Allow Out = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PolicyVersion = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PcaSvc-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\P2P Grouping Block Out = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\AxInstSV-3 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\MPSSVC-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\wbengine-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\vmickvpexchange-block-in = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\VDS-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\MPSSVC-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Trkwks-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Sysmain-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\dsmsvc-1 = "0x00FF00" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DHCP-1-1 = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DisableStatefulFTP = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\WSC Deny All Outbound = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Microsoft-Windows-AllJoyn-Router-Block-Out-AllElse = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Microsoft-Windows-AllJoyn-Router-Block-In-AllElse = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\fdphost-4 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Eventlog-3 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DPS-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DeviceManagement-3 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v2.0.50727_32-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\AssignedAccessManagerSvc-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\vmicheartbeat-allow-out = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\SNMPTRAP-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PNRP Block In = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\fdphost-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DeviceManagement-8 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PcaSvc-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\AVEndpointBuilder-2 = "0x00FF00" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PeerDist Allow WSD Out 2 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\vmicvmsession-block-in = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Microsoft-Windows-AllJoyn-Router-Allow-In-UDP = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\HomeGroup Listener Block In = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\CDPSvc-8 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\WMPNetworkSvc-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PeerDist Block In = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\WinHttpAutoProxySvc-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\SearchFilterHost-1 = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\PNRP Allow In = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Microsoft-Windows-AllJoyn-Router-Allow-In-TCP = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\DeviceManagement-5 = "0x00FF00" destroy.exe -
Modifies security service 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Type = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\SvcMemSoftLimitInMB = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ErrorControl = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Description = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1\Type = "65280" destroy.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\DependOnService = 3000780030003000460046003000300000000000 destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters\ServiceDllUnloadOnStop = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters\ServiceDllUnloadOnStop = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\SvcMemMidLimitInMB = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ObjectName = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\DisplayName = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\SvcMemHardLimitInMB = "65280" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0\Type = "65280" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters destroy.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\RequiredPrivileges = 3000780030003000460046003000300000000000 destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\LaunchProtected = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ImagePath = "0x00FF00" destroy.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\DependOnService = 3000780030003000460046003000300000000000 destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\DelayedAutoStart = "65280" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ServiceSidType = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters\ServiceMain = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ObjectName = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Description = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Type = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1\Action = "65280" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0\Action = "65280" destroy.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ErrorControl = "65280" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\DisplayName = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath = "0x00FF00" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "65280" destroy.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ServiceSidType = "65280" destroy.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\RequiredPrivileges = 3000780030003000460046003000300000000000 destroy.exe -
Sets DLL path for service in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wlpasvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WlanSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wcncsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SystemEventsBroker\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XblAuthManager\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpcMonSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wecsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WbioSrvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicrdv\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VacSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserManager\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\upnphost\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TabletInputService\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wercplsupport\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wcmsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SmsRouter\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WebClient\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysMain\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VaultSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stisvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WManSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmictimesync\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicheartbeat\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tzautoupdate\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\swprv\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WiaRpc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicvss\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinHttpAutoProxySvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicvmsession\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XblGameSave\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WPDBusEnum\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmickvpexchange\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TimeBrokerSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WEPHOSTSVC\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedRealitySvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\smphost\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WarpJITSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Themes\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicshutdown\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicguestinterface\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UmRdpService\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ShellHWDetection\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\StateRepository\parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TroubleshootingSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TokenBroker\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\StorSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wisvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinRM\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SstpSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\shpamsvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XboxGipSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WwanSvc\Parameters\ServiceDll = "0x00FF00" destroy.exe -
Sets service image path in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wecsvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\volume\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SysMain\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\storvsc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinVerbs\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinHttpAutoProxySvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicvmsession\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicrdv\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tcpipreg\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindowsTrustedRT\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WebClient\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sppsvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicshutdown\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UevAgentDriver\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\upnphost\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TieringEngineService\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SstpSvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SpbCx\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WwanSvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USBSTOR\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbprint\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UEFI\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stornvme\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_27b2a\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VerifierExt\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wlpasvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_27b2a\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Themes\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\smbdirect\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xboxgip\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpcMonSvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmbus\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbser\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tdx\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SystemEventsBroker\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinRM\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\volsnap\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TokenBroker\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\storufs\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stisvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SNMPTRAP\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SiSRaid2\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\umbus\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ufx01000\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wanarp\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vwififlt\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vhf\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_27b2a\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ucx01000\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XboxGipSvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WbioSrvc\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\storahci\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbohci\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UcmUcsiCx0101\ImagePath = "0x00FF00" destroy.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UcmCx0101\ImagePath = "0x00FF00" destroy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 destroy.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2680 destroy.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2680 destroy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\destroy.exe"C:\Users\Admin\AppData\Local\Temp\destroy.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Sets DLL path for service in the registry
- Sets service image path in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2