Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12/02/2024, 11:10
Behavioral task
behavioral1
Sample
9703a7ad5b71a87895c075c7fe087fed.exe
Resource
win7-20231129-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
9703a7ad5b71a87895c075c7fe087fed.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
9703a7ad5b71a87895c075c7fe087fed.exe
-
Size
456KB
-
MD5
9703a7ad5b71a87895c075c7fe087fed
-
SHA1
728a63ce3de8598090ca25d47cab15259dd764a5
-
SHA256
715e35291e79f3844dd2c2b6286c1adfb6ca4314186ed29251eb7720ccc29c90
-
SHA512
ec9ed1cb45fa634d33e7ebffb7d2393ae104e5365789fc9f50e8fb2ebd5f1e5e8fef6c6128cb8d61b131f1a9d33fa17aed9d1df2cd03a42a54cbbbc70f82c8cd
-
SSDEEP
12288:JyUChnrsy/Ay4aUi8YRVkvtmFW/OZM9+1+gWQbHyuG9peWx5XyyzcW3bROnkg4:JyUChrsYT8YRivyW/eMIFM900Xyy3bRj
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" h2s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" nacl.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nacl.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" h2s.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts nacl.exe -
Executes dropped EXE 6 IoCs
pid Process 2204 h2s.exe 2612 lsass.exe 2640 nacl.exe 2576 lsass.exe 1804 h2s.exe 2524 lsass.exe -
Loads dropped DLL 4 IoCs
pid Process 2092 9703a7ad5b71a87895c075c7fe087fed.exe 2092 9703a7ad5b71a87895c075c7fe087fed.exe 2204 h2s.exe 2092 9703a7ad5b71a87895c075c7fe087fed.exe -
resource yara_rule behavioral1/memory/2092-1-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/files/0x000a0000000155fd-10.dat upx behavioral1/memory/2092-19-0x00000000026B0000-0x0000000002732000-memory.dmp upx behavioral1/memory/2092-52-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/memory/2576-60-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/memory/2204-61-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/memory/1804-71-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/memory/2524-79-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/memory/2092-82-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral1/memory/2640-83-0x0000000000400000-0x0000000000482000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" h2s.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" nacl.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\WINDOWS\userinit.exe 9703a7ad5b71a87895c075c7fe087fed.exe File created C:\WINDOWS\h2s.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\system\lsass.exe 9703a7ad5b71a87895c075c7fe087fed.exe File created C:\WINDOWS\nacl.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\nacl.exe 9703a7ad5b71a87895c075c7fe087fed.exe File created C:\WINDOWS\nacl.exe h2s.exe File created C:\WINDOWS\system\lsass.exe h2s.exe File opened for modification C:\WINDOWS\userinit.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\h2s.exe 9703a7ad5b71a87895c075c7fe087fed.exe File created C:\WINDOWS\system\lsass.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\nacl.exe h2s.exe File opened for modification C:\WINDOWS\system\lsass.exe h2s.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 37 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000004c584e591100557365727300600008000400efbeee3a851a4c584e592a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000007d57db8b10204c6f63616c00380008000400efbe7d5746887d57db8b2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000007d572b8e100041646d696e00380008000400efbe7d5746887d572b8e2a00000031000000000003000000000000000000000000000000410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 86003100000000004c584e5910203937303341377e3100006e0008000400efbe4c584e594c584e592a0000003050010000000700000000000000000000000000000039003700300033006100370061006400350062003700310061003800370038003900350063003000370035006300370066006500300038003700660065006400000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000007d574688122041707044617461003c0008000400efbe7d5746887d5746882a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000004c584f59102054656d700000360008000400efbe7d5746884c584f592a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2204 h2s.exe 2204 h2s.exe 2640 nacl.exe 2576 lsass.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 1804 h2s.exe 2524 lsass.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe 2640 nacl.exe 2204 h2s.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2092 9703a7ad5b71a87895c075c7fe087fed.exe 2092 9703a7ad5b71a87895c075c7fe087fed.exe 2204 h2s.exe 2204 h2s.exe 2640 nacl.exe 2640 nacl.exe 2576 lsass.exe 2576 lsass.exe 1804 h2s.exe 1804 h2s.exe 2524 lsass.exe 2524 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2368 2092 9703a7ad5b71a87895c075c7fe087fed.exe 28 PID 2092 wrote to memory of 2368 2092 9703a7ad5b71a87895c075c7fe087fed.exe 28 PID 2092 wrote to memory of 2368 2092 9703a7ad5b71a87895c075c7fe087fed.exe 28 PID 2092 wrote to memory of 2368 2092 9703a7ad5b71a87895c075c7fe087fed.exe 28 PID 2092 wrote to memory of 2204 2092 9703a7ad5b71a87895c075c7fe087fed.exe 30 PID 2092 wrote to memory of 2204 2092 9703a7ad5b71a87895c075c7fe087fed.exe 30 PID 2092 wrote to memory of 2204 2092 9703a7ad5b71a87895c075c7fe087fed.exe 30 PID 2092 wrote to memory of 2204 2092 9703a7ad5b71a87895c075c7fe087fed.exe 30 PID 2368 wrote to memory of 2584 2368 cmd.exe 31 PID 2368 wrote to memory of 2584 2368 cmd.exe 31 PID 2368 wrote to memory of 2584 2368 cmd.exe 31 PID 2368 wrote to memory of 2584 2368 cmd.exe 31 PID 2204 wrote to memory of 2668 2204 h2s.exe 32 PID 2204 wrote to memory of 2668 2204 h2s.exe 32 PID 2204 wrote to memory of 2668 2204 h2s.exe 32 PID 2204 wrote to memory of 2668 2204 h2s.exe 32 PID 2584 wrote to memory of 2660 2584 net.exe 34 PID 2584 wrote to memory of 2660 2584 net.exe 34 PID 2584 wrote to memory of 2660 2584 net.exe 34 PID 2584 wrote to memory of 2660 2584 net.exe 34 PID 2092 wrote to memory of 2612 2092 9703a7ad5b71a87895c075c7fe087fed.exe 35 PID 2092 wrote to memory of 2612 2092 9703a7ad5b71a87895c075c7fe087fed.exe 35 PID 2092 wrote to memory of 2612 2092 9703a7ad5b71a87895c075c7fe087fed.exe 35 PID 2092 wrote to memory of 2612 2092 9703a7ad5b71a87895c075c7fe087fed.exe 35 PID 2668 wrote to memory of 1636 2668 cmd.exe 36 PID 2668 wrote to memory of 1636 2668 cmd.exe 36 PID 2668 wrote to memory of 1636 2668 cmd.exe 36 PID 2668 wrote to memory of 1636 2668 cmd.exe 36 PID 1636 wrote to memory of 2864 1636 net.exe 37 PID 1636 wrote to memory of 2864 1636 net.exe 37 PID 1636 wrote to memory of 2864 1636 net.exe 37 PID 1636 wrote to memory of 2864 1636 net.exe 37 PID 2204 wrote to memory of 2640 2204 h2s.exe 38 PID 2204 wrote to memory of 2640 2204 h2s.exe 38 PID 2204 wrote to memory of 2640 2204 h2s.exe 38 PID 2204 wrote to memory of 2640 2204 h2s.exe 38 PID 2640 wrote to memory of 2520 2640 nacl.exe 39 PID 2640 wrote to memory of 2520 2640 nacl.exe 39 PID 2640 wrote to memory of 2520 2640 nacl.exe 39 PID 2640 wrote to memory of 2520 2640 nacl.exe 39 PID 2204 wrote to memory of 2576 2204 h2s.exe 41 PID 2204 wrote to memory of 2576 2204 h2s.exe 41 PID 2204 wrote to memory of 2576 2204 h2s.exe 41 PID 2204 wrote to memory of 2576 2204 h2s.exe 41 PID 2576 wrote to memory of 2156 2576 lsass.exe 43 PID 2576 wrote to memory of 2156 2576 lsass.exe 43 PID 2576 wrote to memory of 2156 2576 lsass.exe 43 PID 2576 wrote to memory of 2156 2576 lsass.exe 43 PID 2092 wrote to memory of 2340 2092 9703a7ad5b71a87895c075c7fe087fed.exe 45 PID 2092 wrote to memory of 2340 2092 9703a7ad5b71a87895c075c7fe087fed.exe 45 PID 2092 wrote to memory of 2340 2092 9703a7ad5b71a87895c075c7fe087fed.exe 45 PID 2092 wrote to memory of 2340 2092 9703a7ad5b71a87895c075c7fe087fed.exe 45 PID 2092 wrote to memory of 1804 2092 9703a7ad5b71a87895c075c7fe087fed.exe 46 PID 2092 wrote to memory of 1804 2092 9703a7ad5b71a87895c075c7fe087fed.exe 46 PID 2092 wrote to memory of 1804 2092 9703a7ad5b71a87895c075c7fe087fed.exe 46 PID 2092 wrote to memory of 1804 2092 9703a7ad5b71a87895c075c7fe087fed.exe 46 PID 1804 wrote to memory of 2444 1804 h2s.exe 48 PID 1804 wrote to memory of 2444 1804 h2s.exe 48 PID 1804 wrote to memory of 2444 1804 h2s.exe 48 PID 1804 wrote to memory of 2444 1804 h2s.exe 48 PID 2092 wrote to memory of 2524 2092 9703a7ad5b71a87895c075c7fe087fed.exe 50 PID 2092 wrote to memory of 2524 2092 9703a7ad5b71a87895c075c7fe087fed.exe 50 PID 2092 wrote to memory of 2524 2092 9703a7ad5b71a87895c075c7fe087fed.exe 50 PID 2092 wrote to memory of 2524 2092 9703a7ad5b71a87895c075c7fe087fed.exe 50 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" nacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" h2s.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" nacl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9703a7ad5b71a87895c075c7fe087fed.exe"C:\Users\Admin\AppData\Local\Temp\9703a7ad5b71a87895c075c7fe087fed.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵PID:2660
-
-
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵PID:2864
-
-
-
-
C:\WINDOWS\nacl.exeC:\WINDOWS\nacl.exe3⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2640 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵PID:2520
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵PID:2156
-
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\SysWOW64\explorer.exeexplorer 9703a7ad5b71a87895c075c7fe087fed2⤵PID:2340
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵PID:2444
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵PID:2836
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD59703a7ad5b71a87895c075c7fe087fed
SHA1728a63ce3de8598090ca25d47cab15259dd764a5
SHA256715e35291e79f3844dd2c2b6286c1adfb6ca4314186ed29251eb7720ccc29c90
SHA512ec9ed1cb45fa634d33e7ebffb7d2393ae104e5365789fc9f50e8fb2ebd5f1e5e8fef6c6128cb8d61b131f1a9d33fa17aed9d1df2cd03a42a54cbbbc70f82c8cd