4caa9655337629343b9b546cd1d96ad98d213972d645d00c7f3d71fb7caf635f

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060} = "v2.0\|Action=Allow\|Active=TRUE\|Dir=Out\|Protocol=6\|Profile=Private\|Profile=Public\|App=C:\\Windows\\system32\\svchost.exe\|Name=svchost.exe\|Edge=FALSE\|"	39881622df5f1bec029291493efabcb0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059} = "v2.0\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=6\|Profile=Private\|Profile=Public\|App=C:\\Windows\\system32\\svchost.exe\|Name=svchost.exe\|Edge=FALSE\|"	39881622df5f1bec029291493efabcb0.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SPService\Parameters\ServiceDll = "C:\\ProgramData\\Adobe\\sp.DLL"	39881622df5f1bec029291493efabcb0.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SPService\ImagePath = "C:\\Windows\\sysWOW64\\svchost.exe -k netsvc"	39881622df5f1bec029291493efabcb0.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	39881622df5f1bec029291493efabcb0.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-6-0x00000000003D0000-0x00000000003EE000-memory.dmp	upx
behavioral1/memory/2968-9-0x00000000003D0000-0x00000000003EE000-memory.dmp	upx
behavioral1/memory/2968-10-0x00000000003D0000-0x00000000003EE000-memory.dmp	upx
behavioral1/memory/2968-11-0x00000000003D0000-0x00000000003EE000-memory.dmp	upx
behavioral1/memory/2968-17-0x00000000003D0000-0x00000000003EE000-memory.dmp	upx

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sp\CLSID	39881622df5f1bec029291493efabcb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sp	39881622df5f1bec029291493efabcb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sp\CLSID\ = "{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"	39881622df5f1bec029291493efabcb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	39881622df5f1bec029291493efabcb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}	39881622df5f1bec029291493efabcb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}\InProcServer32\ThreadingModel = "Apartment"	39881622df5f1bec029291493efabcb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}\InProcServer32	39881622df5f1bec029291493efabcb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	39881622df5f1bec029291493efabcb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}\InProcServer32\ = "C:\\ProgramData\\Adobe\\sp.DLL"	39881622df5f1bec029291493efabcb0.exe

C:\Users\Admin\AppData\Local\Temp\39881622df5f1bec029291493efabcb0.exe
"C:\Users\Admin\AppData\Local\Temp\39881622df5f1bec029291493efabcb0.exe"
1⤵
- Modifies firewall policy service
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Modifies registry class
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

3