MITRE ATT&CK Mapping
|Tactic|Technique|ID| |—|—|—| |Persistence|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|T1547.001| |Persistence|Create or Modify System Process: Windows Service|T1543.003| |Defense Evasion|Impair Defenses: Disable or Modify Tools (Defender)|T1562.001| |Defense Evasion|Impair Defenses: Disable or Modify System Firewall|T1562.004| |Lateral Movement|Taint Shared Content|T1080| |Lateral Movement|Remote Services: SMB/Windows Admin Shares|T1021.002| WHAT
A .reg file (config.reg, MD5: f705ac114767397fb5e7cd1603e70954) triggered SOC117 — Suspicious .reg File. VT returned clean for the hash, however manual analysis of the downloaded archive revealed a second file: importantUpdate.bat (SHA256: fc4de26ede0690dbc4ef4ed7ffcc28c086d5c8998f2cbe1e2c3c20516c7da2db), which is a worm. The script creates a persistent Windows service named DaMonki set to autostart, adds a registry run key for additional persistence, disables both Windows Defender and Windows Firewall, attempts lateral movement by copying itself into network-accessible startup folders, and infects .bat files under C:\Users. Device action was Blocked. Log review confirmed no suspicious HTTP GET requests or email delivery artefacts — delivery vector remains unknown. Verdict: True Positive.
WHEN
Feb 06, 2021 — 01:58 PM
WHERE
Source host Aldo at 172[.]16[.]17[.]51. File contained within a password-protected zip archive. Payload file importantUpdate[.]bat embedded alongside the .reg file.
WHO
Unknown threat actor. No delivery method identified from log review (no email headers, no HTTP downloads). The .reg file likely served as a dropper/lure, with the actual malicious payload being the embedded batch worm. Internal spread was intended via startup folder replication across network hosts, suggesting the actor’s goal was persistence and lateral movement across the local network.
🔬 Analysis Reports 🦠 VirusTotal (importantUpdate.bat) → https://www.virustotal.com/gui/file/fc4de26ede0690dbc4ef4ed7ffcc28c086d5c8998f2cbe1e2c3c20516c7da2db