c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Size

727KB
MD5

b844d30083e3a7b9147913ef5b155170
SHA1

c4d4d34221d3ad54ce9051c6e42abfef51d8e6ae
SHA256

c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e
SHA512

b16f6cbefd79bb45550442a6020c4142927a100ffd231a206b8e48aae5552459f3ff3ca67dbac215f8b3bd2c466948236f76b690c554dc27bac7bf9325b6099b
SSDEEP

3072:OmqtkjEgIN9thOU2t2DxcBjXnyIpGXJK2jxcis0A:lqtsEFOUalfGXJ4isP

Score

10^/10

bootkit discovery evasion execution persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	dhcp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	helpsrv.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	dhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	helpsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	dhcp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	helpsrv.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
1312	dhcp.exe
1920	helpsrv.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	dhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	helpsrv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vds.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	helpsrv.exe
File opened for modification	F:\autorun.inf	helpsrv.exe
File created	C:\autorun.inf	dhcp.exe
File opened for modification	C:\autorun.inf	dhcp.exe
File created	F:\autorun.inf	dhcp.exe
File opened for modification	F:\autorun.inf	dhcp.exe
File created	C:\autorun.inf	helpsrv.exe
File opened for modification	C:\autorun.inf	helpsrv.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\helpsrv.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\ftdisk.sys	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\igfx32.lrc	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\compmhelp.htm	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\dhcp.sys	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\dpvsrv.dll	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\grouppolicy\machine\scripts\startup\ftdisk.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\directx.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\initgdi32.cui	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\cmediahelp.chm	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\ipshelp.hlp	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\dhcp.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	vds.exe

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
844	sc.exe
2572	sc.exe
1788	sc.exe
3012	sc.exe
748	sc.exe
2024	sc.exe
1652	sc.exe
2468	sc.exe
1972	sc.exe
348	sc.exe
1152	sc.exe
1672	sc.exe
2436	sc.exe
2792	sc.exe
1264	sc.exe
1396	sc.exe
1988	sc.exe
864	sc.exe
2900	sc.exe
2252	sc.exe
408	sc.exe
2296	sc.exe
2112	sc.exe
2488	sc.exe
1448	sc.exe
2104	sc.exe
1080	sc.exe
2448	sc.exe
1076	sc.exe
1376	sc.exe
296	sc.exe
1744	sc.exe
1804	sc.exe
2920	sc.exe
2176	sc.exe
2432	sc.exe
956	sc.exe
2772	sc.exe
2460	sc.exe
1800	sc.exe
1232	sc.exe
1544	sc.exe
1756	sc.exe
2660	sc.exe
1620	sc.exe
2032	sc.exe
1272	sc.exe
1132	sc.exe
1764	sc.exe
2192	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helpsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	dhcp.exe
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	helpsrv.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = fe00310000000000000000001600633438316339633130653766383835623832306663363761343233373234333831323336306565313166343765363131393565313437303336666436613836650000ae0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000006300340038003100630039006300310030006500370066003800380035006200380032003000660063003600370061003400320033003700320034003300380031003200330036003000650065003100310066003400370065003600310031003900350065003100340037003000330036006600640036006100380036006500000050000000	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000100054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1920	helpsrv.exe
1312	dhcp.exe
1312	dhcp.exe
1312	dhcp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
1312	dhcp.exe
1920	helpsrv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2800	2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	30
PID 2316 wrote to memory of 2800	2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	30
PID 2316 wrote to memory of 2800	2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	30
PID 2316 wrote to memory of 2800	2316	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	30
PID 2800 wrote to memory of 2772	2800	cmd.exe	32
PID 2800 wrote to memory of 2772	2800	cmd.exe	32
PID 2800 wrote to memory of 2772	2800	cmd.exe	32
PID 2800 wrote to memory of 2772	2800	cmd.exe	32
PID 2800 wrote to memory of 2660	2800	cmd.exe	33
PID 2800 wrote to memory of 2660	2800	cmd.exe	33
PID 2800 wrote to memory of 2660	2800	cmd.exe	33
PID 2800 wrote to memory of 2660	2800	cmd.exe	33
PID 2800 wrote to memory of 2296	2800	cmd.exe	34
PID 2800 wrote to memory of 2296	2800	cmd.exe	34
PID 2800 wrote to memory of 2296	2800	cmd.exe	34
PID 2800 wrote to memory of 2296	2800	cmd.exe	34
PID 2800 wrote to memory of 1620	2800	cmd.exe	36
PID 2800 wrote to memory of 1620	2800	cmd.exe	36
PID 2800 wrote to memory of 1620	2800	cmd.exe	36
PID 2800 wrote to memory of 1620	2800	cmd.exe	36
PID 2800 wrote to memory of 296	2800	cmd.exe	37
PID 2800 wrote to memory of 296	2800	cmd.exe	37
PID 2800 wrote to memory of 296	2800	cmd.exe	37
PID 2800 wrote to memory of 296	2800	cmd.exe	37
PID 2800 wrote to memory of 2112	2800	cmd.exe	38
PID 2800 wrote to memory of 2112	2800	cmd.exe	38
PID 2800 wrote to memory of 2112	2800	cmd.exe	38
PID 2800 wrote to memory of 2112	2800	cmd.exe	38
PID 2800 wrote to memory of 1744	2800	cmd.exe	39
PID 2800 wrote to memory of 1744	2800	cmd.exe	39
PID 2800 wrote to memory of 1744	2800	cmd.exe	39
PID 2800 wrote to memory of 1744	2800	cmd.exe	39
PID 2800 wrote to memory of 1804	2800	cmd.exe	40
PID 2800 wrote to memory of 1804	2800	cmd.exe	40
PID 2800 wrote to memory of 1804	2800	cmd.exe	40
PID 2800 wrote to memory of 1804	2800	cmd.exe	40
PID 2800 wrote to memory of 2488	2800	cmd.exe	41
PID 2800 wrote to memory of 2488	2800	cmd.exe	41
PID 2800 wrote to memory of 2488	2800	cmd.exe	41
PID 2800 wrote to memory of 2488	2800	cmd.exe	41
PID 2800 wrote to memory of 2468	2800	cmd.exe	42
PID 2800 wrote to memory of 2468	2800	cmd.exe	42
PID 2800 wrote to memory of 2468	2800	cmd.exe	42
PID 2800 wrote to memory of 2468	2800	cmd.exe	42
PID 2800 wrote to memory of 2572	2800	cmd.exe	43
PID 2800 wrote to memory of 2572	2800	cmd.exe	43
PID 2800 wrote to memory of 2572	2800	cmd.exe	43
PID 2800 wrote to memory of 2572	2800	cmd.exe	43
PID 2800 wrote to memory of 1788	2800	cmd.exe	44
PID 2800 wrote to memory of 1788	2800	cmd.exe	44
PID 2800 wrote to memory of 1788	2800	cmd.exe	44
PID 2800 wrote to memory of 1788	2800	cmd.exe	44
PID 2800 wrote to memory of 1448	2800	cmd.exe	45
PID 2800 wrote to memory of 1448	2800	cmd.exe	45
PID 2800 wrote to memory of 1448	2800	cmd.exe	45
PID 2800 wrote to memory of 1448	2800	cmd.exe	45
PID 2800 wrote to memory of 2032	2800	cmd.exe	46
PID 2800 wrote to memory of 2032	2800	cmd.exe	46
PID 2800 wrote to memory of 2032	2800	cmd.exe	46
PID 2800 wrote to memory of 2032	2800	cmd.exe	46
PID 2800 wrote to memory of 1988	2800	cmd.exe	47
PID 2800 wrote to memory of 1988	2800	cmd.exe	47
PID 2800 wrote to memory of 1988	2800	cmd.exe	47
PID 2800 wrote to memory of 1988	2800	cmd.exe	47

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	helpsrv.exe

C:\Users\Admin\AppData\Local\Temp\c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
"C:\Users\Admin\AppData\Local\Temp\c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\sc.exe
    sc stop audiosrv
    3⤵
    - Launches sc.exe
    PID:2772
- - C:\Windows\SysWOW64\sc.exe
    sc delete audiosrv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc stop spooler
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2296
- - C:\Windows\SysWOW64\sc.exe
    sc delete spooler
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\sc.exe
    sc stop sens
    3⤵
    - Launches sc.exe
    PID:296
- - C:\Windows\SysWOW64\sc.exe
    sc delete sens
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\sc.exe
    sc delete wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc stop sharedaccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\sc.exe
    sc delete sharedaccess
    3⤵
    - Launches sc.exe
    PID:2468
- - C:\Windows\SysWOW64\sc.exe
    sc stop srservice
    3⤵
    - Launches sc.exe
    PID:2572
- - C:\Windows\SysWOW64\sc.exe
    sc delete srservice
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Windows\SysWOW64\sc.exe
    sc delete wuauserv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\sc.exe
    sc stop avp
    3⤵
    - Launches sc.exe
    PID:1988
- - C:\Windows\SysWOW64\sc.exe
    sc delete avp
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1972
- C:\Windows\dhcp.exe
  C:\Windows\dhcp.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Windows\SysWOW64\sc.exe
      sc stop audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:864
  - - C:\Windows\SysWOW64\sc.exe
      sc delete audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\sc.exe
      sc stop spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2900
  - - C:\Windows\SysWOW64\sc.exe
      sc delete spooler
      4⤵
      Launches sc.exe
      PID:348
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2460
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2436
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:3012
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1272
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1800
  - - C:\Windows\SysWOW64\sc.exe
      sc stop srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2432
  - - C:\Windows\SysWOW64\sc.exe
      sc delete srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1132
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1232
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\sc.exe
      sc stop avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Windows\SysWOW64\sc.exe
      sc delete avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1764
- - C:\Windows\SysWOW64\sc.exe
    sc start themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_DLLd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld1.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld2.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3000
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld3.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- C:\Windows\SysWOW64\helpsrv.exe
  C:\Windows\system32\helpsrv.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:484
  - - C:\Windows\SysWOW64\sc.exe
      sc stop audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1152
  - - C:\Windows\SysWOW64\sc.exe
      sc delete audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1672
  - - C:\Windows\SysWOW64\sc.exe
      sc stop spooler
      4⤵
      Launches sc.exe
      PID:2104
  - - C:\Windows\SysWOW64\sc.exe
      sc delete spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sens
      4⤵
      Launches sc.exe
      PID:2176
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:748
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:1080
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2448
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:408
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1076
  - - C:\Windows\SysWOW64\sc.exe
      sc stop srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1376
  - - C:\Windows\SysWOW64\sc.exe
      sc delete srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1264
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1544
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1396
  - - C:\Windows\SysWOW64\sc.exe
      sc stop avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1756
  - - C:\Windows\SysWOW64\sc.exe
      sc delete avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2192
- - C:\Windows\SysWOW64\sc.exe
    sc start themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\_DLLd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld1.dat
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld2.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld3.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2472

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_DLLd.bat

Filesize
93B

MD5
c32eb32220506549c954ff1dd2e5f26e

SHA1
25157778cc435e0f2df7f0b62b64347b35d07695

SHA256
9d840c6a3524397cd7c1d886ba7dd7313fd5cc82ca13cb5648662c843c5424e7

SHA512
370856c5f8715c587557e156678d1852ef6564ca04ed83d52694194ece19468cde0bbbd241058eac932207f3be21ae17badacac1c2320155f6c3e4859c0c220e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dSC.bat

Filesize
290B

MD5
a248e0b9bc5c88b984f4be429298c1d6

SHA1
1ce140c1918089efd238404a171be62702144ab8

SHA256
c77e889b2172b962fb3277dcd14560edf2918d22403d6fcd19724afa008275ef

SHA512
84d72f13c80e33f9e70edd4b23418cbbbdbfd0b4c9cb2b425e43bedad5106b37b54a528c655f57596b7d9aab2a9cb9629dd63db8efc60160c0b64b5e923df933

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dhS.bat

Filesize
30B

MD5
0869aa8764685cc50e2b68185ec6d763

SHA1
f7eda8a1d28014fc60e981532cf68b6eef83349c

SHA256
1597a2e108a6b8de01ab570d6b4a9b2b7b542e62a168a7d76aaafcdd542e4b7b

SHA512
2e798b2d0522eef5f0169e58a42290a6ddc23fb32a31faf92d31514bc6ac73d495bac37b26b6553a480b0c79a4f8763748e08ab6a2e8515e859918d436da93e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcdRS.dat

Filesize
59B

MD5
2d2e3c00f7632f2fc1ea457658a46751

SHA1
62ac3ca1556f94bb43f4d2ae121756839ae7ba52

SHA256
4e2f5849689150dc7bcc823a5c1ab3d11de70fdd83761e4eb695f955183a6e09

SHA512
d298d24eeb1383f7f3c7fa56c45fb033dfb6c0f50a7b377e5bb49ec1ef8a311664956a20700eac6ceced3d259abe4894aa23318f229d98dc543a9062e20555c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld1.dat

Filesize
59B

MD5
6e7d774057f854f664ffcacbc0ae9581

SHA1
0432f96d077a55d58e9d1537a56723ee8f21e1cb

SHA256
149c31333734b73865ca5a6afd30535b269e41e37112b5be10e0d420fd77cf07

SHA512
976f7096347808fd6424d319e092758a70414952df5b23fcbfddd7e366468f20e1cc029feeb2a52f265e0a99ca650c21b62d2c4a455cf4003e4a8e38c9060f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld2.dat

Filesize
59B

MD5
0775bc0a5c052eda999f31979551f38c

SHA1
54d846c61b1b0a2ecafa688259fc5dc8ac01932f

SHA256
58bc9dddd6b06f94a0bcb1cc904b04ee1fc5695bc545f0ba2c419b2a22d89f5b

SHA512
878653ad916d9801704d2ed65dc2e3f25beaa13d8383c6530e97cce86fa99e2ec4c893d5b839c83c090da37d5d64e26256ebf87d44b3bc247aa8f04bc9cb222a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld3.dat

Filesize
59B

MD5
d36fa4c9ecb3a9d09a9b6cbdc78100e3

SHA1
59ceaaaa292000177dc966e5ab14cc83ef64d274

SHA256
9856ce556675e1442ee33c35ccd31b1f344c7587fc26d48295480bb2a26ecc8c

SHA512
a366ac49c9c91c3a4b4e13464487068274c32cbba7517a3f1ec76cf200c288d3051ee4eb6e6e020e4180f9d65c8a9e525c4cfc870c922a7e8e3ad6997322062b

Download Submit
C:\Windows\SysWOW64\compmhelp.htm

Filesize
727KB

MD5
8f58ea098e1f908887821e16af5d72de

SHA1
431cde1c639f91fb4babe1a5945f7c16efaf86a3

SHA256
48c8a5abbf85ea62086683ebc029da2c64e3dea232c681300378dce962235038

SHA512
7bdd3ca120e93cdce10ac8134535f0b5cd6c2abe8b607230e9f9a288a3b65dbb1211c1564f4a3af6a4c6e8d14dff108fed2a6334ddf749e5c8daa33bc84fe4fb

Download Submit
C:\Windows\SysWOW64\ftdisk.sys

Filesize
727KB

MD5
90d59c1ec1d563708a5058f423ecb511

SHA1
f20c19870adde742ac8b8a9720a5690ac46a7c0c

SHA256
b7ecebc992dfa6f8299625674b57b6c9589ad4eb8559f1e39ac44aa09b33bc68

SHA512
c16142108872b62611bb8ebfd89b094bfb672a710ffef525089f8452f10f607544a25cee8e2510a085997e90e5f08177f1c65363ca9aa3995b3860798f582a33

Download Submit
C:\Windows\dhcp.exe

Filesize
869KB

MD5
c4af1ad0455ab02b7773c72d1558f47a

SHA1
d0c51b6ecc29f47901368ddcfebdd7fdaf8367dd

SHA256
a84b57b14cbdc3a018d8b35f135139c27b5fa9accc1ca9a6063e5461636a8746

SHA512
5fccb42359ab8bc2ea516abdc8c4f6b5eba6b59a41680841aa92e4ffea19badfd28e1fdeaa740f3bd646598dfb8c5dd315564f1678c00526c597cb3135be2993

Download Submit
C:\autorun.inf

Filesize
136B

MD5
d888d11429b5ded04c899cf38adf53bd

SHA1
e63cf02f5646c66f0486d31dd036a06bc06ca32c

SHA256
a31f10d792d62cc7fec33494aa605ff33279c0065910585d59017c13b4445f17

SHA512
7433c261728d89cd1ec0db5f6b92dcf2b5b079ae16bd168c77496b1a166c03f74c46d13de2fe2eebc563b036aa77fe6f5275e20462985094e0b50882907aef48

Download Submit
F:\ntldr.exe

Filesize
727KB

MD5
31689fca88b17ced4fce9c333b58f914

SHA1
a675cdef7c20d781ffd0a02ea49e51b6f4d07821

SHA256
ccd836c9140e29011cd72e4fb9735d66077faee81d9affe04ef3b759d5a5576f

SHA512
25f21b8d26fa13b9508dbcc4a6d3705b9df96be775ea9b4898afc26802c71a9db9cb6403f14033680fb14bc5c6bc8712891c115621a7a1ce0735dd1d34e037cc

Download Submit
\Windows\SysWOW64\helpsrv.exe

Filesize
785KB

MD5
ea186b7122f861efde2f5144eebd0919

SHA1
d5c8ea31e7e9cb5c3ccd9b3ff9954610d6efc42b

SHA256
40187be166c7e6ddc3779026388ab0f1484613e939a4660d361cef9f5cfe09e2

SHA512
4b927b34a1014bbaac998131a6a19b0927ae992d2a950b77dafaa84d55fef7666bbc9cddc2f8ad9b886a0a7095e240b76c472fdab5c7e1bf2b3abed2aee1fa2b

Download Submit