STUXNET VIRUS (METHODOLOGY)
Generic indicator for the stuxnet virus. When loaded, stuxnet spawns lsass.exe in a suspended state. The malware then maps in its own executable section and fixes up the CONTEXT to point to the newly mapped in section. This is a common task performed by malware and allows the malware to execute under the pretense of a known and trusted process.
methodology
Mandiant
0001-01-01T00:00:00
.stub
mdmcpq3.PNF
mdmeric3.PNF
oem6C.PNF
oem7A.PNF
fs_rec.sys
mrxsmb.sys
sr.sys
fastfat.sys
mrxcls.sys
Realtek Semiconductor Corp
mrxnet.sys
Realtek Semiconductor Corp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\ImagePath
mrxcls.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\ImagePath
mrxnet.sys