Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2022, 21:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1011667993895383170/1030922342072848484/HansyEXITO_V2.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
https://cdn.discordapp.com/attachments/1011667993895383170/1030922342072848484/HansyEXITO_V2.bat
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 467899b2bcaed801 iexplore.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "623367475" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "623367475" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990570" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372639871" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{507B814C-4CDD-11ED-AECB-5EAE84113378} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{EED97B39-967A-4B55-BAA2-398E688E426A}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990570" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1172 taskmgr.exe Token: SeSystemProfilePrivilege 1172 taskmgr.exe Token: SeCreateGlobalPrivilege 1172 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 3508 iexplore.exe 3508 iexplore.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe 1172 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3508 iexplore.exe 3508 iexplore.exe 4672 IEXPLORE.EXE 4672 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3508 wrote to memory of 4672 3508 iexplore.exe 79 PID 3508 wrote to memory of 4672 3508 iexplore.exe 79 PID 3508 wrote to memory of 4672 3508 iexplore.exe 79
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/1011667993895383170/1030922342072848484/HansyEXITO_V2.bat1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3508 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4672
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2216
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\HansyEXITO_V2.bat.4s45aax.partial
Filesize13KB
MD53ded60f5f61f815179b8fa023d440e14
SHA181d491e7d618d7f9747f4a9dd6aa3a1174522c45
SHA25672a93cac83590bd2cfe5dada868dd6d6ec18132a2840f4a7913d521b522fb24a
SHA512959b2e9f860c55f451d3d8394e7c12d8554302846c666b29982071db554d11595e452263fe994374e7ce06008fec7db445c3912d98a9777ea0b6816a622025f2