c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Size

727KB
MD5

b844d30083e3a7b9147913ef5b155170
SHA1

c4d4d34221d3ad54ce9051c6e42abfef51d8e6ae
SHA256

c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e
SHA512

b16f6cbefd79bb45550442a6020c4142927a100ffd231a206b8e48aae5552459f3ff3ca67dbac215f8b3bd2c466948236f76b690c554dc27bac7bf9325b6099b
SSDEEP

3072:OmqtkjEgIN9thOU2t2DxcBjXnyIpGXJK2jxcis0A:lqtsEFOUalfGXJ4isP

Score

10^/10

bootkit discovery evasion execution persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	dhcp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1"	helpsrv.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	dhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	helpsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows help services = "C:\\Windows\\system32\\helpsrv.exe"	helpsrv.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	dhcp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	helpsrv.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2576	dhcp.exe
3076	helpsrv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	dhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhcp client = "C:\\Windows\\dhcp.exe"	helpsrv.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	helpsrv.exe
File opened (read-only)	\??\F:	dhcp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vds.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	dhcp.exe
File created	C:\autorun.inf	helpsrv.exe
File opened for modification	C:\autorun.inf	helpsrv.exe
File created	F:\autorun.inf	helpsrv.exe
File opened for modification	F:\autorun.inf	helpsrv.exe
File created	C:\autorun.inf	dhcp.exe
File opened for modification	C:\autorun.inf	dhcp.exe
File created	F:\autorun.inf	dhcp.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cmediahelp.chm	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\dhcp.sys	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\ftdisk.sys	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\initgdi32.cui	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\dpvsrv.dll	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\igfx32.lrc	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\grouppolicy\machine\scripts\startup\ftdisk.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\directx.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\helpsrv.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\SysWOW64\compmhelp.htm	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\ipshelp.hlp	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\dhcp.exe	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vds.exe
File opened for modification	C:\Windows\DiacoVirtualDrive	dhcp.exe

Launches sc.exe 52 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3936	sc.exe
4516	sc.exe
2720	sc.exe
436	sc.exe
1340	sc.exe
2496	sc.exe
4764	sc.exe
4696	sc.exe
3924	sc.exe
2516	sc.exe
3616	sc.exe
3988	sc.exe
4808	sc.exe
2836	sc.exe
3832	sc.exe
1816	sc.exe
4576	sc.exe
4784	sc.exe
1304	sc.exe
3388	sc.exe
3952	sc.exe
4228	sc.exe
732	sc.exe
4008	sc.exe
4112	sc.exe
3208	sc.exe
3644	sc.exe
5112	sc.exe
64	sc.exe
2924	sc.exe
3612	sc.exe
2600	sc.exe
4052	sc.exe
2580	sc.exe
2424	sc.exe
2716	sc.exe
3312	sc.exe
876	sc.exe
3500	sc.exe
4368	sc.exe
1028	sc.exe
4992	sc.exe
2116	sc.exe
3348	sc.exe
1884	sc.exe
2196	sc.exe
4740	sc.exe
2416	sc.exe
3604	sc.exe
1272	sc.exe
3196	sc.exe
3576	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helpsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks SCSI registry key(s) 3 TTPs 29 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff91c5a0620000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	dhcp.exe
Key created	\REGISTRY\USER\s-1-5-21-1229272821-838170752-839522115-1003\software\microsoft\internet explorer\main	helpsrv.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2576	dhcp.exe
2576	dhcp.exe
3076	helpsrv.exe
3076	helpsrv.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
3076	helpsrv.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe
2576	dhcp.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
2576	dhcp.exe
3076	helpsrv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3100	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	83
PID 212 wrote to memory of 3100	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	83
PID 212 wrote to memory of 3100	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	83
PID 3100 wrote to memory of 3312	3100	cmd.exe	85
PID 3100 wrote to memory of 3312	3100	cmd.exe	85
PID 3100 wrote to memory of 3312	3100	cmd.exe	85
PID 3100 wrote to memory of 876	3100	cmd.exe	86
PID 3100 wrote to memory of 876	3100	cmd.exe	86
PID 3100 wrote to memory of 876	3100	cmd.exe	86
PID 3100 wrote to memory of 1884	3100	cmd.exe	87
PID 3100 wrote to memory of 1884	3100	cmd.exe	87
PID 3100 wrote to memory of 1884	3100	cmd.exe	87
PID 3100 wrote to memory of 3936	3100	cmd.exe	88
PID 3100 wrote to memory of 3936	3100	cmd.exe	88
PID 3100 wrote to memory of 3936	3100	cmd.exe	88
PID 3100 wrote to memory of 2836	3100	cmd.exe	89
PID 3100 wrote to memory of 2836	3100	cmd.exe	89
PID 3100 wrote to memory of 2836	3100	cmd.exe	89
PID 3100 wrote to memory of 3388	3100	cmd.exe	90
PID 3100 wrote to memory of 3388	3100	cmd.exe	90
PID 3100 wrote to memory of 3388	3100	cmd.exe	90
PID 3100 wrote to memory of 2196	3100	cmd.exe	91
PID 3100 wrote to memory of 2196	3100	cmd.exe	91
PID 3100 wrote to memory of 2196	3100	cmd.exe	91
PID 3100 wrote to memory of 3832	3100	cmd.exe	92
PID 3100 wrote to memory of 3832	3100	cmd.exe	92
PID 3100 wrote to memory of 3832	3100	cmd.exe	92
PID 3100 wrote to memory of 4740	3100	cmd.exe	93
PID 3100 wrote to memory of 4740	3100	cmd.exe	93
PID 3100 wrote to memory of 4740	3100	cmd.exe	93
PID 3100 wrote to memory of 4516	3100	cmd.exe	94
PID 3100 wrote to memory of 4516	3100	cmd.exe	94
PID 3100 wrote to memory of 4516	3100	cmd.exe	94
PID 3100 wrote to memory of 2496	3100	cmd.exe	95
PID 3100 wrote to memory of 2496	3100	cmd.exe	95
PID 3100 wrote to memory of 2496	3100	cmd.exe	95
PID 3100 wrote to memory of 2416	3100	cmd.exe	96
PID 3100 wrote to memory of 2416	3100	cmd.exe	96
PID 3100 wrote to memory of 2416	3100	cmd.exe	96
PID 3100 wrote to memory of 2720	3100	cmd.exe	97
PID 3100 wrote to memory of 2720	3100	cmd.exe	97
PID 3100 wrote to memory of 2720	3100	cmd.exe	97
PID 3100 wrote to memory of 3500	3100	cmd.exe	98
PID 3100 wrote to memory of 3500	3100	cmd.exe	98
PID 3100 wrote to memory of 3500	3100	cmd.exe	98
PID 3100 wrote to memory of 1816	3100	cmd.exe	99
PID 3100 wrote to memory of 1816	3100	cmd.exe	99
PID 3100 wrote to memory of 1816	3100	cmd.exe	99
PID 3100 wrote to memory of 4368	3100	cmd.exe	102
PID 3100 wrote to memory of 4368	3100	cmd.exe	102
PID 3100 wrote to memory of 4368	3100	cmd.exe	102
PID 212 wrote to memory of 2576	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	103
PID 212 wrote to memory of 2576	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	103
PID 212 wrote to memory of 2576	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	103
PID 2576 wrote to memory of 4100	2576	dhcp.exe	104
PID 2576 wrote to memory of 4100	2576	dhcp.exe	104
PID 2576 wrote to memory of 4100	2576	dhcp.exe	104
PID 212 wrote to memory of 3076	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	105
PID 212 wrote to memory of 3076	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	105
PID 212 wrote to memory of 3076	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	105
PID 3076 wrote to memory of 1876	3076	helpsrv.exe	107
PID 3076 wrote to memory of 1876	3076	helpsrv.exe	107
PID 3076 wrote to memory of 1876	3076	helpsrv.exe	107
PID 212 wrote to memory of 4764	212	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe	108

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	helpsrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofind = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runlogonscriptsync = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	dhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\runstartupscriptsync = "1"	dhcp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nosecuritytab = "1"	helpsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\norun = "1"	dhcp.exe

C:\Users\Admin\AppData\Local\Temp\c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe
"C:\Users\Admin\AppData\Local\Temp\c481c9c10e7f885b820fc67a4237243812360ee11f47e61195e147036fd6a86e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\sc.exe
    sc stop audiosrv
    3⤵
    - Launches sc.exe
    PID:3312
- - C:\Windows\SysWOW64\sc.exe
    sc delete audiosrv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\sc.exe
    sc stop spooler
    3⤵
    - Launches sc.exe
    PID:1884
- - C:\Windows\SysWOW64\sc.exe
    sc delete spooler
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3936
- - C:\Windows\SysWOW64\sc.exe
    sc stop sens
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\sc.exe
    sc delete sens
    3⤵
    - Launches sc.exe
    PID:3388
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\SysWOW64\sc.exe
    sc delete wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3832
- - C:\Windows\SysWOW64\sc.exe
    sc stop sharedaccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4740
- - C:\Windows\SysWOW64\sc.exe
    sc delete sharedaccess
    3⤵
    - Launches sc.exe
    PID:4516
- - C:\Windows\SysWOW64\sc.exe
    sc stop srservice
    3⤵
    - Launches sc.exe
    PID:2496
- - C:\Windows\SysWOW64\sc.exe
    sc delete srservice
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\sc.exe
    sc delete wuauserv
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3500
- - C:\Windows\SysWOW64\sc.exe
    sc stop avp
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\SysWOW64\sc.exe
    sc delete avp
    3⤵
    - Launches sc.exe
    PID:4368
- C:\Windows\dhcp.exe
  C:\Windows\dhcp.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4100
  - - C:\Windows\SysWOW64\sc.exe
      sc stop audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3952
  - - C:\Windows\SysWOW64\sc.exe
      sc delete audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1028
  - - C:\Windows\SysWOW64\sc.exe
      sc stop spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3604
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sens
      4⤵
      Launches sc.exe
      PID:2924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3612
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4112
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4576
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3616
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4992
  - - C:\Windows\SysWOW64\sc.exe
      sc stop srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4784
  - - C:\Windows\SysWOW64\sc.exe
      sc delete srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3988
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3196
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4228
  - - C:\Windows\SysWOW64\sc.exe
      sc stop avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4052
  - - C:\Windows\SysWOW64\sc.exe
      sc delete avp
      4⤵
      Launches sc.exe
      PID:1304
- - C:\Windows\SysWOW64\sc.exe
    sc start themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    PID:4112
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_DLLd.bat
    3⤵
    PID:2388
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld1.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld2.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld3.dat
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c subst F: C:\Windows\DiacoVirtualDrive
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3612
  - - C:\Windows\SysWOW64\subst.exe
      subst F: C:\Windows\DiacoVirtualDrive
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc stop themes
    3⤵
    - Launches sc.exe
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\helpsrv.exe
  C:\Windows\system32\helpsrv.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dSC.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
  - - C:\Windows\SysWOW64\sc.exe
      sc stop audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3644
  - - C:\Windows\SysWOW64\sc.exe
      sc delete audiosrv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:64
  - - C:\Windows\SysWOW64\sc.exe
      sc stop spooler
      4⤵
      Launches sc.exe
      PID:1272
  - - C:\Windows\SysWOW64\sc.exe
      sc delete spooler
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2600
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sens
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2116
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sens
      4⤵
      Launches sc.exe
      PID:3208
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3348
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc
      4⤵
      Launches sc.exe
      PID:2424
  - - C:\Windows\SysWOW64\sc.exe
      sc stop sharedaccess
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4696
  - - C:\Windows\SysWOW64\sc.exe
      sc delete sharedaccess
      4⤵
      Launches sc.exe
      PID:2580
  - - C:\Windows\SysWOW64\sc.exe
      sc stop srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:436
  - - C:\Windows\SysWOW64\sc.exe
      sc delete srservice
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1340
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv
      4⤵
      Launches sc.exe
      PID:4808
  - - C:\Windows\SysWOW64\sc.exe
      sc stop avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:732
  - - C:\Windows\SysWOW64\sc.exe
      sc delete avp
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2516
- - C:\Windows\SysWOW64\sc.exe
    sc start themes
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_dhS.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\hcdRS.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_DLLd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld1.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld2.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1900
  - - C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\Users\Admin\AppData\Local\Temp\sdlld3.dat
      4⤵
      System Location Discovery: System Language Discovery
      PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\C:\autorun.inf
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q \\?\F:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
- C:\Windows\SysWOW64\sc.exe
  sc start themes
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3248

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2780

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1376

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_DLLd.bat

Filesize
93B

MD5
c32eb32220506549c954ff1dd2e5f26e

SHA1
25157778cc435e0f2df7f0b62b64347b35d07695

SHA256
9d840c6a3524397cd7c1d886ba7dd7313fd5cc82ca13cb5648662c843c5424e7

SHA512
370856c5f8715c587557e156678d1852ef6564ca04ed83d52694194ece19468cde0bbbd241058eac932207f3be21ae17badacac1c2320155f6c3e4859c0c220e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dSC.bat

Filesize
290B

MD5
a248e0b9bc5c88b984f4be429298c1d6

SHA1
1ce140c1918089efd238404a171be62702144ab8

SHA256
c77e889b2172b962fb3277dcd14560edf2918d22403d6fcd19724afa008275ef

SHA512
84d72f13c80e33f9e70edd4b23418cbbbdbfd0b4c9cb2b425e43bedad5106b37b54a528c655f57596b7d9aab2a9cb9629dd63db8efc60160c0b64b5e923df933

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dhS.bat

Filesize
30B

MD5
0869aa8764685cc50e2b68185ec6d763

SHA1
f7eda8a1d28014fc60e981532cf68b6eef83349c

SHA256
1597a2e108a6b8de01ab570d6b4a9b2b7b542e62a168a7d76aaafcdd542e4b7b

SHA512
2e798b2d0522eef5f0169e58a42290a6ddc23fb32a31faf92d31514bc6ac73d495bac37b26b6553a480b0c79a4f8763748e08ab6a2e8515e859918d436da93e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcdRS.dat

Filesize
59B

MD5
2d2e3c00f7632f2fc1ea457658a46751

SHA1
62ac3ca1556f94bb43f4d2ae121756839ae7ba52

SHA256
4e2f5849689150dc7bcc823a5c1ab3d11de70fdd83761e4eb695f955183a6e09

SHA512
d298d24eeb1383f7f3c7fa56c45fb033dfb6c0f50a7b377e5bb49ec1ef8a311664956a20700eac6ceced3d259abe4894aa23318f229d98dc543a9062e20555c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcdRS.dat

Filesize
73B

MD5
0a20fd344d981da93ad3160c1e4d786c

SHA1
e9d22848de9c9b9fabb4a0f1e162ba713a9ca622

SHA256
b0bb26fafcb95ede148c475dcdda5922eee67e841c841e28bbec91155fff242b

SHA512
7fa734c42696773b0fa9f49132a47a94dbe520f5ebe30f939b7c90f38d0ea02513e6701fd957fdc8ff7c74027832cf70e4177e976520f03b528fa804c61208fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld1.dat

Filesize
59B

MD5
6e7d774057f854f664ffcacbc0ae9581

SHA1
0432f96d077a55d58e9d1537a56723ee8f21e1cb

SHA256
149c31333734b73865ca5a6afd30535b269e41e37112b5be10e0d420fd77cf07

SHA512
976f7096347808fd6424d319e092758a70414952df5b23fcbfddd7e366468f20e1cc029feeb2a52f265e0a99ca650c21b62d2c4a455cf4003e4a8e38c9060f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld2.dat

Filesize
59B

MD5
0775bc0a5c052eda999f31979551f38c

SHA1
54d846c61b1b0a2ecafa688259fc5dc8ac01932f

SHA256
58bc9dddd6b06f94a0bcb1cc904b04ee1fc5695bc545f0ba2c419b2a22d89f5b

SHA512
878653ad916d9801704d2ed65dc2e3f25beaa13d8383c6530e97cce86fa99e2ec4c893d5b839c83c090da37d5d64e26256ebf87d44b3bc247aa8f04bc9cb222a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdlld3.dat

Filesize
59B

MD5
d36fa4c9ecb3a9d09a9b6cbdc78100e3

SHA1
59ceaaaa292000177dc966e5ab14cc83ef64d274

SHA256
9856ce556675e1442ee33c35ccd31b1f344c7587fc26d48295480bb2a26ecc8c

SHA512
a366ac49c9c91c3a4b4e13464487068274c32cbba7517a3f1ec76cf200c288d3051ee4eb6e6e020e4180f9d65c8a9e525c4cfc870c922a7e8e3ad6997322062b

Download Submit
C:\Windows\SysWOW64\compmhelp.htm

Filesize
727KB

MD5
8f58ea098e1f908887821e16af5d72de

SHA1
431cde1c639f91fb4babe1a5945f7c16efaf86a3

SHA256
48c8a5abbf85ea62086683ebc029da2c64e3dea232c681300378dce962235038

SHA512
7bdd3ca120e93cdce10ac8134535f0b5cd6c2abe8b607230e9f9a288a3b65dbb1211c1564f4a3af6a4c6e8d14dff108fed2a6334ddf749e5c8daa33bc84fe4fb

Download Submit
C:\Windows\SysWOW64\ftdisk.sys

Filesize
727KB

MD5
90d59c1ec1d563708a5058f423ecb511

SHA1
f20c19870adde742ac8b8a9720a5690ac46a7c0c

SHA256
b7ecebc992dfa6f8299625674b57b6c9589ad4eb8559f1e39ac44aa09b33bc68

SHA512
c16142108872b62611bb8ebfd89b094bfb672a710ffef525089f8452f10f607544a25cee8e2510a085997e90e5f08177f1c65363ca9aa3995b3860798f582a33

Download Submit
C:\Windows\SysWOW64\helpsrv.exe

Filesize
785KB

MD5
ea186b7122f861efde2f5144eebd0919

SHA1
d5c8ea31e7e9cb5c3ccd9b3ff9954610d6efc42b

SHA256
40187be166c7e6ddc3779026388ab0f1484613e939a4660d361cef9f5cfe09e2

SHA512
4b927b34a1014bbaac998131a6a19b0927ae992d2a950b77dafaa84d55fef7666bbc9cddc2f8ad9b886a0a7095e240b76c472fdab5c7e1bf2b3abed2aee1fa2b

Download Submit
C:\Windows\dhcp.exe

Filesize
869KB

MD5
c4af1ad0455ab02b7773c72d1558f47a

SHA1
d0c51b6ecc29f47901368ddcfebdd7fdaf8367dd

SHA256
a84b57b14cbdc3a018d8b35f135139c27b5fa9accc1ca9a6063e5461636a8746

SHA512
5fccb42359ab8bc2ea516abdc8c4f6b5eba6b59a41680841aa92e4ffea19badfd28e1fdeaa740f3bd646598dfb8c5dd315564f1678c00526c597cb3135be2993

Download Submit
C:\autorun.inf

Filesize
136B

MD5
d888d11429b5ded04c899cf38adf53bd

SHA1
e63cf02f5646c66f0486d31dd036a06bc06ca32c

SHA256
a31f10d792d62cc7fec33494aa605ff33279c0065910585d59017c13b4445f17

SHA512
7433c261728d89cd1ec0db5f6b92dcf2b5b079ae16bd168c77496b1a166c03f74c46d13de2fe2eebc563b036aa77fe6f5275e20462985094e0b50882907aef48

Download Submit
C:\ntldr.exe

Filesize
727KB

MD5
31689fca88b17ced4fce9c333b58f914

SHA1
a675cdef7c20d781ffd0a02ea49e51b6f4d07821

SHA256
ccd836c9140e29011cd72e4fb9735d66077faee81d9affe04ef3b759d5a5576f

SHA512
25f21b8d26fa13b9508dbcc4a6d3705b9df96be775ea9b4898afc26802c71a9db9cb6403f14033680fb14bc5c6bc8712891c115621a7a1ce0735dd1d34e037cc

Download Submit