Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

0b1582e704...b4.exe

windows7-x64

10

0b1582e704...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    12s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4.exe

  • Size

    188KB

  • MD5

    076f8351f13f7b87f0770d611b441c2c

  • SHA1

    ce60352c94d720928b66b191bd3f2b6df6f64505

  • SHA256

    0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

  • SHA512

    01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

  • SSDEEP

    1536:VjPzy7rAVb3n3gX72IEJ5NwE4G/a3hd+g/:JPzyXANQX729D4G/aR3

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 3 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 6 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 41 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4.exe
    "C:\Users\Admin\AppData\Local\Temp\0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\WINDOWS\h2s.exe
      C:\WINDOWS\h2s.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3972
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:488
        • C:\Windows\SysWOW64\net.exe
          net share "phim_hai_hay=C:\Documents and Settings\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
            5⤵
              PID:4612
        • C:\WINDOWS\system\lsass.exe
          C:\WINDOWS\system\lsass.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2316
        • C:\WINDOWS\nacl.exe
          C:\WINDOWS\nacl.exe
          3⤵
          • Modifies WinLogon for persistence
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4516
      • C:\WINDOWS\system\lsass.exe
        C:\WINDOWS\system\lsass.exe
        2⤵
        • Modifies WinLogon for persistence
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3192
        • C:\Windows\SysWOW64\cmd.exe
          cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
          3⤵
            PID:2304
        • C:\Windows\SysWOW64\cmd.exe
          cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1780
        • C:\Windows\SysWOW64\explorer.exe
          explorer 0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4
          2⤵
            PID:2044
          • C:\WINDOWS\h2s.exe
            C:\WINDOWS\h2s.exe
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4980
            • C:\Windows\SysWOW64\cmd.exe
              cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
              3⤵
                PID:3328
            • C:\WINDOWS\system\lsass.exe
              C:\WINDOWS\system\lsass.exe
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1012
              • C:\Windows\SysWOW64\cmd.exe
                cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                3⤵
                  PID:3304
            • C:\Windows\SysWOW64\net.exe
              net share "phim_hai_hay=C:\Documents and Settings\Temp"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:4368
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
                2⤵
                  PID:3980
              • C:\Windows\SysWOW64\cmd.exe
                cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                1⤵
                  PID:4108
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious use of SetWindowsHookEx
                  PID:4444
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                  1⤵
                    PID:1604
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:3612

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Documents and Settings\Temp\tuyen_tap_hai_2008.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\WINDOWS\h2s.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\WINDOWS\nacl.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\WINDOWS\system32\drivers\etc\hosts
                      Filesize

                      578B

                      MD5

                      4cedd41692993cf5a0a40baeb724b871

                      SHA1

                      fc1eeb1d88966ea4a816bcbdab320830b6f70261

                      SHA256

                      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

                      SHA512

                      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

                      Download Submit

                    • C:\WINDOWS\system32\drivers\etc\hosts
                      Filesize

                      578B

                      MD5

                      4cedd41692993cf5a0a40baeb724b871

                      SHA1

                      fc1eeb1d88966ea4a816bcbdab320830b6f70261

                      SHA256

                      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

                      SHA512

                      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

                      Download Submit

                    • C:\WINDOWS\system32\drivers\etc\hosts
                      Filesize

                      578B

                      MD5

                      4cedd41692993cf5a0a40baeb724b871

                      SHA1

                      fc1eeb1d88966ea4a816bcbdab320830b6f70261

                      SHA256

                      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

                      SHA512

                      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

                      Download Submit

                    • C:\WINDOWS\system32\drivers\etc\hosts
                      Filesize

                      578B

                      MD5

                      4cedd41692993cf5a0a40baeb724b871

                      SHA1

                      fc1eeb1d88966ea4a816bcbdab320830b6f70261

                      SHA256

                      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

                      SHA512

                      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

                      Download Submit

                    • C:\WINDOWS\system\lsass.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Windows\System\lsass.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Windows\System\lsass.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Windows\System\lsass.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Windows\h2s.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Windows\h2s.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • C:\Windows\nacl.exe
                      Filesize

                      188KB

                      MD5

                      076f8351f13f7b87f0770d611b441c2c

                      SHA1

                      ce60352c94d720928b66b191bd3f2b6df6f64505

                      SHA256

                      0b1582e7049e28e0067dd8fcd2ada4636ded5df54ced2505f2852d96a8857cb4

                      SHA512

                      01667becb2906a2000467db6b8af51f086ce0424eb5d5cea73b5f622aaaaf1e14110c841acd304721fda35cb45d70fdcd392a846450e028274f72b4db44c2c78

                      Download Submit

                    • memory/2316-176-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/3192-196-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/3192-166-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/3972-147-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/3972-194-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/4516-195-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/4516-169-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/4708-193-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/4708-132-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/4980-184-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download

                    • memory/4980-188-0x0000000000400000-0x000000000048D000-memory.dmp

                      Filesize

                      564KB

                      Download