An analyst runs 'regshot' before and after executing a suspicious binary. The report shows that the binary added a value to HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to C:\Windows\system32\malware.exe and 'Start' set to 2. What is the MOST likely purpose?
Setting Start=2 means the service starts automatically at boot, ensuring persistence.
Why this answer
The binary added a service entry under HKLM\SYSTEM\CurrentControlSet\Services\MyService with 'ImagePath' pointing to malware.exe and 'Start' set to 2 (SERVICE_AUTO_START). This ensures the malware launches automatically at system boot, which is a classic persistence mechanism. The 'Start' value of 2 specifically configures the service to start automatically, making it persist across reboots.
Exam trap
EC-Council often tests the distinction between creating a new service for persistence versus modifying an existing service's startup type or disabling it, and candidates may confuse the 'Start' value of 2 (auto-start) with a disabled state (value 4).
How to eliminate wrong answers
Option A is wrong because hiding network connections is typically achieved by rootkits, API hooking, or manipulating network stack components (e.g., NDIS drivers), not by simply adding a service entry. Option B is wrong because encrypting files is a ransomware behavior that would involve file system operations or cryptographic API calls, not merely creating a service with an ImagePath. Option C is wrong because disabling a legitimate service would involve modifying the 'Start' value of an existing service (e.g., setting it to 4 for disabled) or deleting it, not creating a new service with a malicious ImagePath.