c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Size

727KB
MD5

b844d30083e3a7b9147913ef5b155170
SHA1

c4d4d34221d3ad54ce9051c6e42abfef51d8e6ae
SHA256

c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e
SHA512

b16f6cbefd79bb45550442a6020c4142927a100ffd231a206b8e48aae5552459f3ff3ca67dbac215f8b3bd2c466948236f76b690c554dc27bac7bf9325b6099b
SSDEEP

3072:OmqtkjEgIN9thOU2t2DxcBjXnyIpGXJK2jxcis0A:lqtsEFOUalfGXJ4isP

Score

10^/10

bootkit discovery evasion execution persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	dhcp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	helpsrv.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	dhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	helpsrv.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	helpsrv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	dhcp.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2548	dhcp.exe
1744	helpsrv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	dhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	helpsrv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vds.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	dhcp.exe
File opened for modification	F:\autorun.inf	dhcp.exe
File created	C:\autorun.inf	helpsrv.exe
File opened for modification	C:\autorun.inf	helpsrv.exe
File created	F:\autorun.inf	helpsrv.exe
File opened for modification	F:\autorun.inf	helpsrv.exe
File created	C:\autorun.inf	dhcp.exe
File opened for modification	C:\autorun.inf	dhcp.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\grouppolicy\machine\scripts\startup\ftdisk.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\helpsrv.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\initgdi32.cui	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\compmhelp.htm	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\dhcp.sys	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\ftdisk.sys	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\igfx32.lrc	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\cmediahelp.chm	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\dpvsrv.dll	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\directx.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	vds.exe
File opened for modification	C:\Windows\help\ipshelp.hlp	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\dhcp.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Launches sc.exe 52 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4360	sc.exe
3180	sc.exe
3412	sc.exe
4936	sc.exe
4972	sc.exe
2116	sc.exe
984	sc.exe
3632	sc.exe
4920	sc.exe
2864	sc.exe
416	sc.exe
864	sc.exe
4728	sc.exe
2428	sc.exe
1056	sc.exe
4504	sc.exe
2572	sc.exe
5056	sc.exe
1436	sc.exe
2512	sc.exe
3344	sc.exe
2764	sc.exe
3508	sc.exe
1924	sc.exe
1068	sc.exe
3192	sc.exe
1804	sc.exe
1992	sc.exe
4168	sc.exe
2096	sc.exe
3204	sc.exe
1984	sc.exe
788	sc.exe
488	sc.exe
3804	sc.exe
4600	sc.exe
1260	sc.exe
4528	sc.exe
3732	sc.exe
1720	sc.exe
2088	sc.exe
1912	sc.exe
3560	sc.exe
1588	sc.exe
4040	sc.exe
4744	sc.exe
3768	sc.exe
4832	sc.exe
2680	sc.exe
3400	sc.exe
3112	sc.exe
3888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helpsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff36dba0620000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	dhcp.exe
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	helpsrv.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2548	dhcp.exe
2548	dhcp.exe
1744	helpsrv.exe
1744	helpsrv.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
2548	dhcp.exe
2548	dhcp.exe
1744	helpsrv.exe
1744	helpsrv.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
1744	helpsrv.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe
2548	dhcp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2548	dhcp.exe
1744	helpsrv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3120	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	82
PID 2892 wrote to memory of 3120	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	82
PID 2892 wrote to memory of 3120	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	82
PID 3120 wrote to memory of 2572	3120	cmd.exe	84
PID 3120 wrote to memory of 2572	3120	cmd.exe	84
PID 3120 wrote to memory of 2572	3120	cmd.exe	84
PID 3120 wrote to memory of 3804	3120	cmd.exe	85
PID 3120 wrote to memory of 3804	3120	cmd.exe	85
PID 3120 wrote to memory of 3804	3120	cmd.exe	85
PID 3120 wrote to memory of 1588	3120	cmd.exe	86
PID 3120 wrote to memory of 1588	3120	cmd.exe	86
PID 3120 wrote to memory of 1588	3120	cmd.exe	86
PID 3120 wrote to memory of 1804	3120	cmd.exe	87
PID 3120 wrote to memory of 1804	3120	cmd.exe	87
PID 3120 wrote to memory of 1804	3120	cmd.exe	87
PID 3120 wrote to memory of 2428	3120	cmd.exe	88
PID 3120 wrote to memory of 2428	3120	cmd.exe	88
PID 3120 wrote to memory of 2428	3120	cmd.exe	88
PID 3120 wrote to memory of 3508	3120	cmd.exe	89
PID 3120 wrote to memory of 3508	3120	cmd.exe	89
PID 3120 wrote to memory of 3508	3120	cmd.exe	89
PID 2892 wrote to memory of 2548	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	90
PID 2892 wrote to memory of 2548	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	90
PID 2892 wrote to memory of 2548	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	90
PID 3120 wrote to memory of 2116	3120	cmd.exe	91
PID 3120 wrote to memory of 2116	3120	cmd.exe	91
PID 3120 wrote to memory of 2116	3120	cmd.exe	91
PID 2548 wrote to memory of 2976	2548	dhcp.exe	92
PID 2548 wrote to memory of 2976	2548	dhcp.exe	92
PID 2548 wrote to memory of 2976	2548	dhcp.exe	92
PID 2892 wrote to memory of 1744	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	93
PID 2892 wrote to memory of 1744	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	93
PID 2892 wrote to memory of 1744	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	93
PID 1744 wrote to memory of 4976	1744	helpsrv.exe	97
PID 1744 wrote to memory of 4976	1744	helpsrv.exe	97
PID 1744 wrote to memory of 4976	1744	helpsrv.exe	97
PID 2892 wrote to memory of 1992	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	98
PID 2892 wrote to memory of 1992	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	98
PID 2892 wrote to memory of 1992	2892	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	98
PID 3120 wrote to memory of 3888	3120	cmd.exe	100
PID 3120 wrote to memory of 3888	3120	cmd.exe	100
PID 3120 wrote to memory of 3888	3120	cmd.exe	100
PID 2976 wrote to memory of 4728	2976	cmd.exe	102
PID 2976 wrote to memory of 4728	2976	cmd.exe	102
PID 2976 wrote to memory of 4728	2976	cmd.exe	102
PID 4976 wrote to memory of 1056	4976	cmd.exe	103
PID 4976 wrote to memory of 1056	4976	cmd.exe	103
PID 4976 wrote to memory of 1056	4976	cmd.exe	103
PID 3120 wrote to memory of 984	3120	cmd.exe	104
PID 3120 wrote to memory of 984	3120	cmd.exe	104
PID 3120 wrote to memory of 984	3120	cmd.exe	104
PID 3120 wrote to memory of 4168	3120	cmd.exe	105
PID 3120 wrote to memory of 4168	3120	cmd.exe	105
PID 3120 wrote to memory of 4168	3120	cmd.exe	105
PID 2976 wrote to memory of 5056	2976	cmd.exe	106
PID 2976 wrote to memory of 5056	2976	cmd.exe	106
PID 2976 wrote to memory of 5056	2976	cmd.exe	106
PID 4976 wrote to memory of 1436	4976	cmd.exe	107
PID 4976 wrote to memory of 1436	4976	cmd.exe	107
PID 4976 wrote to memory of 1436	4976	cmd.exe	107
PID 4976 wrote to memory of 2512	4976	cmd.exe	108
PID 4976 wrote to memory of 2512	4976	cmd.exe	108
PID 4976 wrote to memory of 2512	4976	cmd.exe	108
PID 3120 wrote to memory of 4360	3120	cmd.exe	109

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	dhcp.exe

C:\Users\Admin\AppData\Local\Temp\c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
"C:\Users\Admin\AppData\Local\Temp\c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\sc.exe
    sc stop audiosrv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\sc.exe
    sc delete audiosrv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\SysWOW64\sc.exe
    sc stop spooler
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\sc.exe
    sc delete spooler
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc stop sens
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\sc.exe
    sc delete sens
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3508
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    PID:2116
- - C:\Windows\SysWOW64\sc.exe
    sc delete wscsvc
    3⤵
    - Launches sc.exe
    PID:3888
- - C:\Windows\SysWOW64\sc.exe
    sc stop sharedaccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\sc.exe
    sc delete sharedaccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4168
- - C:\Windows\SysWOW64\sc.exe
    sc stop srservice
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\sc.exe
    sc delete srservice
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3180
- - C:\Windows\SysWOW64\sc.exe
    sc delete wuauserv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3344
- - C:\Windows\SysWOW64\sc.exe
    sc stop avp
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4920
- - C:\Windows\SysWOW64\sc.exe
    sc delete avp
    3⤵
    - Launches sc.exe
    PID:2864
- C:\Windows\dhcp.exe
  C:\Windows\dhcp.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\sc.exe
      sc stop audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4728
  - - C:\Windows\SysWOW64\sc.exe
      sc delete audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5056
  - - C:\Windows\SysWOW64\sc.exe
      sc stop spooler
      4⤵
      Launches sc.exe
      PID:1924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3204
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1720
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:1984
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc
      4⤵
      Launches sc.exe
      PID:2088
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4832
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2764
  - - C:\Windows\SysWOW64\sc.exe
      sc stop srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3400
  - - C:\Windows\SysWOW64\sc.exe
      sc delete srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:488
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3560
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4600
  - - C:\Windows\SysWOW64\sc.exe
      sc stop avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4040
  - - C:\Windows\SysWOW64\sc.exe
      sc delete avp
      4⤵
      Launches sc.exe
      PID:4972
- - C:\Windows\SysWOW64\sc.exe
    sc start themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5040
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_DLLd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4744
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld1.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld2.dat
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld3.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3096
- C:\Windows\SysWOW64\helpsrv.exe
  C:\Windows\system32\helpsrv.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\sc.exe
      sc stop audiosrv
      4⤵
      Launches sc.exe
      PID:1056
  - - C:\Windows\SysWOW64\sc.exe
      sc delete audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Windows\SysWOW64\sc.exe
      sc stop spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Windows\SysWOW64\sc.exe
      sc delete spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4744
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4528
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3632
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3768
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1068
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sharedaccess
      4⤵
      Launches sc.exe
      PID:3732
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4936
  - - C:\Windows\SysWOW64\sc.exe
      sc stop srservice
      4⤵
      Launches sc.exe
      PID:4504
  - - C:\Windows\SysWOW64\sc.exe
      sc delete srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3192
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:788
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Windows\SysWOW64\sc.exe
      sc stop avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:416
- - C:\Windows\SysWOW64\sc.exe
    sc start themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\sc.exe
    sc stop themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_DLLd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld1.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4064
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld2.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld3.dat
      4⤵
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728
- C:\Windows\SysWOW64\sc.exe
  sc start themes
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3500

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_DLLd.bat

Filesize
93B

MD5
c32eb32220506549c954ff1dd2e5f26e

SHA1
25157778cc435e0f2df7f0b62b64347b35d07695

SHA256
9d840c6a3524397cd7c1d886ba7dd7313fd5cc82ca13cb5648662c843c5424e7

SHA512
370856c5f8715c587557e156678d1852ef6564ca04ed83d52694194ece19468cde0bbbd241058eac932207f3be21ae17badacac1c2320155f6c3e4859c0c220e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dSC.bat

Filesize
290B

MD5
a248e0b9bc5c88b984f4be429298c1d6

SHA1
1ce140c1918089efd238404a171be62702144ab8

SHA256
c77e889b2172b962fb3277dcd14560edf2918d22403d6fcd19724afa008275ef

SHA512
84d72f13c80e33f9e70edd4b23418cbbbdbfd0b4c9cb2b425e43bedad5106b37b54a528c655f57596b7d9aab2a9cb9629dd63db8efc60160c0b64b5e923df933

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dhS.bat

Filesize
30B

MD5
0869aa8764685cc50e2b68185ec6d763

SHA1
f7eda8a1d28014fc60e981532cf68b6eef83349c

SHA256
1597a2e108a6b8de01ab570d6b4a9b2b7b542e62a168a7d76aaafcdd542e4b7b

SHA512
2e798b2d0522eef5f0169e58a42290a6ddc23fb32a31faf92d31514bc6ac73d495bac37b26b6553a480b0c79a4f8763748e08ab6a2e8515e859918d436da93e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcdRS.dat

Filesize
59B

MD5
2d2e3c00f7632f2fc1ea457658a46751

SHA1
62ac3ca1556f94bb43f4d2ae121756839ae7ba52

SHA256
4e2f5849689150dc7bcc823a5c1ab3d11de70fdd83761e4eb695f955183a6e09

SHA512
d298d24eeb1383f7f3c7fa56c45fb033dfb6c0f50a7b377e5bb49ec1ef8a311664956a20700eac6ceced3d259abe4894aa23318f229d98dc543a9062e20555c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld1.dat

Filesize
59B

MD5
6e7d774057f854f664ffcacbc0ae9581

SHA1
0432f96d077a55d58e9d1537a56723ee8f21e1cb

SHA256
149c31333734b73865ca5a6afd30535b269e41e37112b5be10e0d420fd77cf07

SHA512
976f7096347808fd6424d319e092758a70414952df5b23fcbfddd7e366468f20e1cc029feeb2a52f265e0a99ca650c21b62d2c4a455cf4003e4a8e38c9060f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld2.dat

Filesize
59B

MD5
0775bc0a5c052eda999f31979551f38c

SHA1
54d846c61b1b0a2ecafa688259fc5dc8ac01932f

SHA256
58bc9dddd6b06f94a0bcb1cc904b04ee1fc5695bc545f0ba2c419b2a22d89f5b

SHA512
878653ad916d9801704d2ed65dc2e3f25beaa13d8383c6530e97cce86fa99e2ec4c893d5b839c83c090da37d5d64e26256ebf87d44b3bc247aa8f04bc9cb222a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld3.dat

Filesize
59B

MD5
d36fa4c9ecb3a9d09a9b6cbdc78100e3

SHA1
59ceaaaa292000177dc966e5ab14cc83ef64d274

SHA256
9856ce556675e1442ee33c35ccd31b1f344c7587fc26d48295480bb2a26ecc8c

SHA512
a366ac49c9c91c3a4b4e13464487068274c32cbba7517a3f1ec76cf200c288d3051ee4eb6e6e020e4180f9d65c8a9e525c4cfc870c922a7e8e3ad6997322062b

Download Submit
C:\Windows\SysWOW64\compmhelp.htm

Filesize
727KB

MD5
8f58ea098e1f908887821e16af5d72de

SHA1
431cde1c639f91fb4babe1a5945f7c16efaf86a3

SHA256
48c8a5abbf85ea62086683ebc029da2c64e3dea232c681300378dce962235038

SHA512
7bdd3ca120e93cdce10ac8134535f0b5cd6c2abe8b607230e9f9a288a3b65dbb1211c1564f4a3af6a4c6e8d14dff108fed2a6334ddf749e5c8daa33bc84fe4fb

Download Submit
C:\Windows\SysWOW64\ftdisk.sys

Filesize
727KB

MD5
90d59c1ec1d563708a5058f423ecb511

SHA1
f20c19870adde742ac8b8a9720a5690ac46a7c0c

SHA256
b7ecebc992dfa6f8299625674b57b6c9589ad4eb8559f1e39ac44aa09b33bc68

SHA512
c16142108872b62611bb8ebfd89b094bfb672a710ffef525089f8452f10f607544a25cee8e2510a085997e90e5f08177f1c65363ca9aa3995b3860798f582a33

Download Submit
C:\Windows\SysWOW64\helpsrv.exe

Filesize
785KB

MD5
ea186b7122f861efde2f5144eebd0919

SHA1
d5c8ea31e7e9cb5c3ccd9b3ff9954610d6efc42b

SHA256
40187be166c7e6ddc3779026388ab0f1484613e939a4660d361cef9f5cfe09e2

SHA512
4b927b34a1014bbaac998131a6a19b0927ae992d2a950b77dafaa84d55fef7666bbc9cddc2f8ad9b886a0a7095e240b76c472fdab5c7e1bf2b3abed2aee1fa2b

Download Submit
C:\Windows\dhcp.exe

Filesize
869KB

MD5
c4af1ad0455ab02b7773c72d1558f47a

SHA1
d0c51b6ecc29f47901368ddcfebdd7fdaf8367dd

SHA256
a84b57b14cbdc3a018d8b35f135139c27b5fa9accc1ca9a6063e5461636a8746

SHA512
5fccb42359ab8bc2ea516abdc8c4f6b5eba6b59a41680841aa92e4ffea19badfd28e1fdeaa740f3bd646598dfb8c5dd315564f1678c00526c597cb3135be2993

Download Submit
C:\autorun.inf

Filesize
136B

MD5
d888d11429b5ded04c899cf38adf53bd

SHA1
e63cf02f5646c66f0486d31dd036a06bc06ca32c

SHA256
a31f10d792d62cc7fec33494aa605ff33279c0065910585d59017c13b4445f17

SHA512
7433c261728d89cd1ec0db5f6b92dcf2b5b079ae16bd168c77496b1a166c03f74c46d13de2fe2eebc563b036aa77fe6f5275e20462985094e0b50882907aef48

Download Submit
C:\ntldr.exe

Filesize
727KB

MD5
31689fca88b17ced4fce9c333b58f914

SHA1
a675cdef7c20d781ffd0a02ea49e51b6f4d07821

SHA256
ccd836c9140e29011cd72e4fb9735d66077faee81d9affe04ef3b759d5a5576f

SHA512
25f21b8d26fa13b9508dbcc4a6d3705b9df96be775ea9b4898afc26802c71a9db9cb6403f14033680fb14bc5c6bc8712891c115621a7a1ce0735dd1d34e037cc

Download Submit