Overview
overview
8Static
static
3parsec-windows.exe
windows11-21h2-x64
8$PLUGINSDI...ID.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3parsecd.exe
windows11-21h2-x64
1pservice.exe
windows11-21h2-x64
1skel/parse...3b.dll
windows11-21h2-x64
1teams.exe
windows11-21h2-x64
1vdd/parsec-vdd.exe
windows11-21h2-x64
8$PLUGINSDI...ec.dll
windows11-21h2-x64
3driver/mm.dll
windows11-21h2-x64
1nefconw.exe
windows11-21h2-x64
1vddinstall.bat
windows11-21h2-x64
8vdduninstall.bat
windows11-21h2-x64
4vusb/parsec-vud.exe
windows11-21h2-x64
8$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...fo.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3nefconc.exe
windows11-21h2-x64
1nefconw.exe
windows11-21h2-x64
1parsecvirt...ds.sys
windows11-21h2-x64
1parsecvusb...ba.sys
windows11-21h2-x64
1vusbinstall.bat
windows11-21h2-x64
8vusbuninstall.bat
windows11-21h2-x64
6wscripts/f...dd.vbs
windows11-21h2-x64
1wscripts/f...ve.vbs
windows11-21h2-x64
8wscripts/l...up.vbs
windows11-21h2-x64
3wscripts/s...ll.vbs
windows11-21h2-x64
8wscripts/s...ec.vbs
windows11-21h2-x64
4wscripts/s...ve.vbs
windows11-21h2-x64
8Analysis
-
max time kernel
91s -
max time network
129s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2024, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
parsec-windows.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/ApplicationID.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
parsecd.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
pservice.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
skel/parsecd-150-93b.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
teams.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
vdd/parsec-vdd.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
driver/mm.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
nefconw.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
vddinstall.bat
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
vdduninstall.bat
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
vusb/parsec-vud.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
nefconc.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
nefconw.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
parsecvirtualds/parsecvirtualds.sys
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
parsecvusba/parsecvusba.sys
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
vusbinstall.bat
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
vusbuninstall.bat
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
wscripts/firewall-add.vbs
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
wscripts/firewall-remove.vbs
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
wscripts/legacy-cleanup.vbs
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
wscripts/service-install.vbs
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
wscripts/service-kill-parsec.vbs
Resource
win11-20240426-en
windows11-21h2-x64
General
-
Target
vddinstall.bat
-
Size
420B
-
MD5
ee1bfb5ccbb3949e3258155e141a68a5
-
SHA1
b79dd1e75e3e7acd8d21d7b17c86673a6c6383d9
-
SHA256
1e7c35eb6c296f96aee5ae4bbbd40395e8019bde95ef9bef91260dd8ef03c6d1
-
SHA512
b37d680f5dab52536926c718eb1b4c1f0e78552c061756f998e3a3ccb2dc4fbea15dd1a4b181646a68a2987a22ce225c185c2ef2bb1d10a70c780ada8cf9f9aa
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\UMDF\mm.dll DrvInst.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\SET3BB1.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\SET3BB2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\SET3BB3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\SET3BB2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\mm.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\SET3BB1.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\mm.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\SET3BB3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{8b0fab59-34aa-b849-9d78-1fa4b2b99fb1}\mm.inf DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\c_display.PNF nefconw.exe File opened for modification C:\Windows\INF\setupapi.dev.log nefconw.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 nefconw.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid 4 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeAuditPrivilege 1488 svchost.exe Token: SeSecurityPrivilege 1488 svchost.exe Token: SeLoadDriverPrivilege 3388 nefconw.exe Token: SeRestorePrivilege 2740 DrvInst.exe Token: SeBackupPrivilege 2740 DrvInst.exe Token: SeLoadDriverPrivilege 2740 DrvInst.exe Token: SeLoadDriverPrivilege 2740 DrvInst.exe Token: SeLoadDriverPrivilege 2740 DrvInst.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1028 wrote to memory of 1132 1028 cmd.exe 80 PID 1028 wrote to memory of 1132 1028 cmd.exe 80 PID 1028 wrote to memory of 3744 1028 cmd.exe 81 PID 1028 wrote to memory of 3744 1028 cmd.exe 81 PID 1028 wrote to memory of 3388 1028 cmd.exe 82 PID 1028 wrote to memory of 3388 1028 cmd.exe 82 PID 1488 wrote to memory of 1776 1488 svchost.exe 84 PID 1488 wrote to memory of 1776 1488 svchost.exe 84 PID 1488 wrote to memory of 2740 1488 svchost.exe 86 PID 1488 wrote to memory of 2740 1488 svchost.exe 86
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vddinstall.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\nefconw.exe.\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"2⤵PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\nefconw.exe.\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA2⤵
- Drops file in Windows directory
PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\nefconw.exe.\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a5c7bec9-b342-9342-95bd-12944116c5e8}\mm.inf" "9" "484386e17" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Users\Admin\AppData\Local\Temp\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1776
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "201" "ROOT\DISPLAY\0000" "C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.inf" "oem3.inf:*:*:0.45.0.0:Root\Parsec\VDA," "484386e17" "0000000000000154" "c73"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD51fe1fc7cc73fb17e995d65835d51ca94
SHA1249acf0a3a362b2163127bd76f6d4d6aa463297d
SHA256136e64ac07dce5a3b4935d5a9c5cfe03983c0b3065f46a30a45536d5b1681d5c
SHA51231fe1bdcb5f243a6eecc40006fc70793bc5aea9d95ffe449117cb67366f0f120c393716ffe93b65a73c8b2dfe02917f1d0dcf4ca62aa302fe685513b8cc80bdc
-
Filesize
4KB
MD5d8030afe09a2f984be00389b31f7039b
SHA1ab7a55fa6641cc31b0b7e70c8680bbbd553fc8a1
SHA25634da9ff45c13577631f67e33d11b8a26e3d22ca685d00c388b6122a795800588
SHA5120787e9e95369686b20bcbddb9ff984111c4ed53a064fc8f198691db5c124dfbe1b1f4d434dbfd81482545b723c01325ed9bcc626f461191b3ae4095222df10a6
-
Filesize
169KB
MD5f09967cc8cc9bf03612ddecb6bf86daa
SHA1166f8e3000b6a1e2b13b46e85b7559b9837b9aa7
SHA25696db6ae2f950b56e52be3e68f92893afa94645eae09fea2abd5dd1985758150a
SHA512190d2edea81c42a2d7a5bc69cb98f03368e702a5fcb3fc1dcd4e9c387687bab542e4b0e5de67292e8b8a7efed7fd9e30d1efdd35bcdfea28417de71db0e13864