Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    35s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 11:10

General

  • Target

    9703a7ad5b71a87895c075c7fe087fed.exe

  • Size

    456KB

  • MD5

    9703a7ad5b71a87895c075c7fe087fed

  • SHA1

    728a63ce3de8598090ca25d47cab15259dd764a5

  • SHA256

    715e35291e79f3844dd2c2b6286c1adfb6ca4314186ed29251eb7720ccc29c90

  • SHA512

    ec9ed1cb45fa634d33e7ebffb7d2393ae104e5365789fc9f50e8fb2ebd5f1e5e8fef6c6128cb8d61b131f1a9d33fa17aed9d1df2cd03a42a54cbbbc70f82c8cd

  • SSDEEP

    12288:JyUChnrsy/Ay4aUi8YRVkvtmFW/OZM9+1+gWQbHyuG9peWx5XyyzcW3bROnkg4:JyUChrsYT8YRivyW/eMIFM900Xyy3bRj

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Disables RegEdit via registry modification 3 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 6 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 41 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9703a7ad5b71a87895c075c7fe087fed.exe
    "C:\Users\Admin\AppData\Local\Temp\9703a7ad5b71a87895c075c7fe087fed.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\net.exe
        net share "phim_hai_hay=C:\Documents and Settings\Temp"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
          4⤵
            PID:2176
      • C:\WINDOWS\h2s.exe
        C:\WINDOWS\h2s.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\SysWOW64\cmd.exe
          cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Windows\SysWOW64\net.exe
            net share "phim_hai_hay=C:\Documents and Settings\Temp"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3796
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
              5⤵
                PID:4168
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 632
            3⤵
            • Program crash
            PID:352
        • C:\WINDOWS\system\lsass.exe
          C:\WINDOWS\system\lsass.exe
          2⤵
          • Modifies WinLogon for persistence
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1916
          • C:\Windows\SysWOW64\cmd.exe
            cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3688
            • C:\Windows\SysWOW64\net.exe
              net share "phim_hai_hay=C:\Documents and Settings\Temp"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4484
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"
                5⤵
                  PID:2568
          • C:\Windows\SysWOW64\explorer.exe
            explorer 9703a7ad5b71a87895c075c7fe087fed
            2⤵
              PID:3888
            • C:\WINDOWS\h2s.exe
              C:\WINDOWS\h2s.exe
              2⤵
              • Modifies WinLogon for persistence
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1840
              • C:\Windows\SysWOW64\cmd.exe
                cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                3⤵
                  PID:3516
                • C:\WINDOWS\nacl.exe
                  C:\WINDOWS\nacl.exe
                  3⤵
                  • Modifies WinLogon for persistence
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3100
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                    4⤵
                      PID:4088
                  • C:\WINDOWS\system\lsass.exe
                    C:\WINDOWS\system\lsass.exe
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4832
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                      4⤵
                        PID:3300
                  • C:\WINDOWS\system\lsass.exe
                    C:\WINDOWS\system\lsass.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4576
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &
                      3⤵
                        PID:412
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4904 -ip 4904
                    1⤵
                      PID:2512
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                      1⤵
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious behavior: AddClipboardFormatListener
                      • Suspicious use of SetWindowsHookEx
                      PID:3792
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:2120

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\1[1].htm

                        Filesize

                        1KB

                        MD5

                        5ac3ebbe736c35e4482520233567d79f

                        SHA1

                        1157dd90a5a4edd98b931e40903f0b07562f0dea

                        SHA256

                        1900ed0daddae6fa0150982f8abe1cdf8e6f17583e5a78f94cb02d0c0dfda009

                        SHA512

                        cb7e8c135d31694a55d8bfc095f0155be16a49020e351d05416e4147952ce3aa5286f6b41190ab800e40d6f419beac8beccb14af42f4c5e168884bec42a76bf7

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\1[2].htm

                        Filesize

                        1KB

                        MD5

                        38a581cf5e81e70ede9cdf80ddca5367

                        SHA1

                        1e4eabf15a242060311a4b333f59d82b6c977107

                        SHA256

                        56f1a52142a53f887c23656a1534bf08e9c194cf53b6939b6530b32f39741ac7

                        SHA512

                        3519815d6f6042f3be94436453a65b264a4ad7e37e690d0ccb0533c8f6938bdb014940d90ca76741cf998a5982410b0652ecacb9886220cafc122109500de8e3

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\2[1].htm

                        Filesize

                        1KB

                        MD5

                        1194a7387adde56cdb6a750824685512

                        SHA1

                        98e22523c2c28a1c3be17d8cfe0df942ccfcc698

                        SHA256

                        16467c833048daf98940014822c542eb2df990830245cd74dd58a3be1b3f8181

                        SHA512

                        1ebbd9f36b0be2d5bc9ef7b8d5e38e932d75ab618cca31186a0e98965018da34460b4109ab9a4315d936a53185c9c9757582a2d67fa3661134073205d0353a32

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\2[2].htm

                        Filesize

                        1KB

                        MD5

                        fc5f75899f96901d7b68297cab66fcbd

                        SHA1

                        4bdef6972e8ebb5cdc29c231290f0be1a93f240c

                        SHA256

                        e1b152aa5d78cdfcd45a9fc1fe3864aee8292a2a1d0b39c6f31604e30147c864

                        SHA512

                        a82cda8a81d4cecbd6f0f574b83d6d7d7818503eb747e33002c32bea5402e377fcb65961bc27e83a790356313375d62365ccb6b035a2f9477758126364d7e30d

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\3[1].htm

                        Filesize

                        1KB

                        MD5

                        db84a53c72865150995116f5c1896474

                        SHA1

                        1417aea39d8d9ef319198e0299b4382108ee6b9b

                        SHA256

                        559ee41bec246292aea5faf13f3d6b9133e78261aa9ff7ac2fb7bd7c1f59d435

                        SHA512

                        e729313b008cfd181b4fe74e619afa94a01710617ab5d7f444c500c137981e732f6571ee491691843459082acc3e80c0c9b7ddf0f78951bb721bc381d6c21dad

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\4[1].htm

                        Filesize

                        1KB

                        MD5

                        26dbbfa4f4c4c5ac41a06b57220aa9c2

                        SHA1

                        cf406eea6749431b44a7d5e5841acde17ae5b0f8

                        SHA256

                        4c551a8d59f7ad842bc6bdf5ff4ec3839a36709404261667e7db33ceaadc6066

                        SHA512

                        759cefb0878b96c8d220af87a1168bdd2f44b9c6ada0e222e6889348bd18dcfc3807791f5fcea5b21ef9386f6e2e624e0ce506fd1700c098767c75b69c3fa123

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\5[1].htm

                        Filesize

                        1KB

                        MD5

                        b13a05badede211a6809cbab2b1684cb

                        SHA1

                        042c236774516a53871c3a0f27479e73b04cf9a7

                        SHA256

                        f2bae983864e2244e327a9d2dad6ad86c21ce055184d761ec6586216a9348fa7

                        SHA512

                        3d1a66983c067ababbcc5eb42bb079820c10e5e145e6ca4693fb7deb3ecdf2d8affb3bf6ca0f58b9ccda8daef74009da038a0495b0cf64a677b80a4b818cecc6

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\5[2].htm

                        Filesize

                        1KB

                        MD5

                        3195bff646b36d30cecce13476b5fbaa

                        SHA1

                        9a8bba599a8a6249936dfc22628bf4b75d211240

                        SHA256

                        0f0ad0df57c828a7b8c2fb59da778a2afca3ae06606f5e8d5829381a93480e99

                        SHA512

                        ca35c6554fdee9d22896f4822c32f84867691f52f406862bc23e7f103224bc3f69edf595da19e762f98766c14fe5a22faf9359aa3ec1228079fc038f91db3fe5

                      • C:\WINDOWS\system32\drivers\etc\hosts

                        Filesize

                        578B

                        MD5

                        4cedd41692993cf5a0a40baeb724b871

                        SHA1

                        fc1eeb1d88966ea4a816bcbdab320830b6f70261

                        SHA256

                        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

                        SHA512

                        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

                      • C:\Windows\h2s.exe

                        Filesize

                        456KB

                        MD5

                        9703a7ad5b71a87895c075c7fe087fed

                        SHA1

                        728a63ce3de8598090ca25d47cab15259dd764a5

                        SHA256

                        715e35291e79f3844dd2c2b6286c1adfb6ca4314186ed29251eb7720ccc29c90

                        SHA512

                        ec9ed1cb45fa634d33e7ebffb7d2393ae104e5365789fc9f50e8fb2ebd5f1e5e8fef6c6128cb8d61b131f1a9d33fa17aed9d1df2cd03a42a54cbbbc70f82c8cd

                      • memory/1840-98-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/1916-97-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/2520-0-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/2520-76-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/3100-99-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/4576-75-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/4576-69-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/4832-96-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/4904-48-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB