Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 11:10
Behavioral task
behavioral1
Sample
9703a7ad5b71a87895c075c7fe087fed.exe
Resource
win7-20231129-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
9703a7ad5b71a87895c075c7fe087fed.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
9703a7ad5b71a87895c075c7fe087fed.exe
-
Size
456KB
-
MD5
9703a7ad5b71a87895c075c7fe087fed
-
SHA1
728a63ce3de8598090ca25d47cab15259dd764a5
-
SHA256
715e35291e79f3844dd2c2b6286c1adfb6ca4314186ed29251eb7720ccc29c90
-
SHA512
ec9ed1cb45fa634d33e7ebffb7d2393ae104e5365789fc9f50e8fb2ebd5f1e5e8fef6c6128cb8d61b131f1a9d33fa17aed9d1df2cd03a42a54cbbbc70f82c8cd
-
SSDEEP
12288:JyUChnrsy/Ay4aUi8YRVkvtmFW/OZM9+1+gWQbHyuG9peWx5XyyzcW3bROnkg4:JyUChrsYT8YRivyW/eMIFM900Xyy3bRj
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" h2s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" nacl.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" h2s.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nacl.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
pid Process 4904 h2s.exe 1916 lsass.exe 1840 h2s.exe 4576 lsass.exe 3100 nacl.exe 4832 lsass.exe -
resource yara_rule behavioral2/memory/2520-0-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/files/0x0006000000023244-8.dat upx behavioral2/memory/4904-48-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/4576-69-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/4576-75-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/2520-76-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/4832-96-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/1916-97-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/1840-98-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/3100-99-0x0000000000400000-0x0000000000482000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" nacl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" h2s.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\link.sys h2s.exe File opened for modification C:\WINDOWS\SysWOW64\link.sys h2s.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\WINDOWS\nacl.exe h2s.exe File created C:\WINDOWS\system\lsass.exe h2s.exe File created C:\WINDOWS\system\lsass.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\system\lsass.exe 9703a7ad5b71a87895c075c7fe087fed.exe File created C:\WINDOWS\h2s.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\h2s.exe 9703a7ad5b71a87895c075c7fe087fed.exe File created C:\WINDOWS\nacl.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\nacl.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\nacl.exe h2s.exe File opened for modification C:\WINDOWS\system\lsass.exe h2s.exe File created C:\WINDOWS\userinit.exe 9703a7ad5b71a87895c075c7fe087fed.exe File opened for modification C:\WINDOWS\userinit.exe 9703a7ad5b71a87895c075c7fe087fed.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 352 4904 WerFault.exe 86 -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008f572361100041646d696e003c0009000400efbe8f578f5b4c5850592e0000008ae101000000010000000000000000000000000000009e1b2d00410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008f57f75d10004c6f63616c003c0009000400efbe8f578f5b4c5850592e000000a8e101000000010000000000000000000000000000006d75ea004c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004c5850591100557365727300640009000400efbe874f77484c5850592e000000c70500000000010000000000000000003a0000000000df49f70055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 8a003100000000004c58505910003937303341377e310000720009000400efbe4c5850594c5850592e00000042320200000006000000000000000000000000000000f0e7f40039003700300033006100370061006400350062003700310061003800370038003900350063003000370035006300370066006500300038003700660065006400000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000004c585259100054656d7000003a0009000400efbe8f578f5b4c5852592e000000a9e1010000000100000000000000000000000000000084fbe800540065006d007000000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008f578f5b12004170704461746100400009000400efbe8f578f5b4c5850592e00000095e1010000000100000000000000000000000000000098ba43004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3792 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 h2s.exe 4904 h2s.exe 1916 lsass.exe 1916 lsass.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 4576 lsass.exe 4576 lsass.exe 1840 h2s.exe 1916 lsass.exe 1840 h2s.exe 1916 lsass.exe 3100 nacl.exe 3100 nacl.exe 1916 lsass.exe 1916 lsass.exe 4832 lsass.exe 4832 lsass.exe 3100 nacl.exe 3100 nacl.exe 1840 h2s.exe 1840 h2s.exe 1916 lsass.exe 1916 lsass.exe 3100 nacl.exe 3100 nacl.exe 1840 h2s.exe 1840 h2s.exe 1916 lsass.exe 1916 lsass.exe 3100 nacl.exe 3100 nacl.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 3100 nacl.exe 3100 nacl.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 3100 nacl.exe 3100 nacl.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 3100 nacl.exe 3100 nacl.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 3100 nacl.exe 3100 nacl.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 3100 nacl.exe 3100 nacl.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2520 9703a7ad5b71a87895c075c7fe087fed.exe 2520 9703a7ad5b71a87895c075c7fe087fed.exe 4904 h2s.exe 4904 h2s.exe 1916 lsass.exe 1916 lsass.exe 1840 h2s.exe 1840 h2s.exe 4576 lsass.exe 4576 lsass.exe 3792 explorer.exe 3792 explorer.exe 3100 nacl.exe 3100 nacl.exe 4832 lsass.exe 4832 lsass.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2520 wrote to memory of 4504 2520 9703a7ad5b71a87895c075c7fe087fed.exe 84 PID 2520 wrote to memory of 4504 2520 9703a7ad5b71a87895c075c7fe087fed.exe 84 PID 2520 wrote to memory of 4504 2520 9703a7ad5b71a87895c075c7fe087fed.exe 84 PID 2520 wrote to memory of 4904 2520 9703a7ad5b71a87895c075c7fe087fed.exe 86 PID 2520 wrote to memory of 4904 2520 9703a7ad5b71a87895c075c7fe087fed.exe 86 PID 2520 wrote to memory of 4904 2520 9703a7ad5b71a87895c075c7fe087fed.exe 86 PID 4504 wrote to memory of 4228 4504 cmd.exe 87 PID 4504 wrote to memory of 4228 4504 cmd.exe 87 PID 4504 wrote to memory of 4228 4504 cmd.exe 87 PID 4228 wrote to memory of 2176 4228 net.exe 88 PID 4228 wrote to memory of 2176 4228 net.exe 88 PID 4228 wrote to memory of 2176 4228 net.exe 88 PID 4904 wrote to memory of 3304 4904 h2s.exe 89 PID 4904 wrote to memory of 3304 4904 h2s.exe 89 PID 4904 wrote to memory of 3304 4904 h2s.exe 89 PID 3304 wrote to memory of 3796 3304 cmd.exe 91 PID 3304 wrote to memory of 3796 3304 cmd.exe 91 PID 3304 wrote to memory of 3796 3304 cmd.exe 91 PID 3796 wrote to memory of 4168 3796 net.exe 92 PID 3796 wrote to memory of 4168 3796 net.exe 92 PID 3796 wrote to memory of 4168 3796 net.exe 92 PID 2520 wrote to memory of 1916 2520 9703a7ad5b71a87895c075c7fe087fed.exe 97 PID 2520 wrote to memory of 1916 2520 9703a7ad5b71a87895c075c7fe087fed.exe 97 PID 2520 wrote to memory of 1916 2520 9703a7ad5b71a87895c075c7fe087fed.exe 97 PID 1916 wrote to memory of 3688 1916 lsass.exe 98 PID 1916 wrote to memory of 3688 1916 lsass.exe 98 PID 1916 wrote to memory of 3688 1916 lsass.exe 98 PID 3688 wrote to memory of 4484 3688 cmd.exe 100 PID 3688 wrote to memory of 4484 3688 cmd.exe 100 PID 3688 wrote to memory of 4484 3688 cmd.exe 100 PID 4484 wrote to memory of 2568 4484 net.exe 101 PID 4484 wrote to memory of 2568 4484 net.exe 101 PID 4484 wrote to memory of 2568 4484 net.exe 101 PID 2520 wrote to memory of 3888 2520 9703a7ad5b71a87895c075c7fe087fed.exe 103 PID 2520 wrote to memory of 3888 2520 9703a7ad5b71a87895c075c7fe087fed.exe 103 PID 2520 wrote to memory of 3888 2520 9703a7ad5b71a87895c075c7fe087fed.exe 103 PID 2520 wrote to memory of 1840 2520 9703a7ad5b71a87895c075c7fe087fed.exe 105 PID 2520 wrote to memory of 1840 2520 9703a7ad5b71a87895c075c7fe087fed.exe 105 PID 2520 wrote to memory of 1840 2520 9703a7ad5b71a87895c075c7fe087fed.exe 105 PID 1840 wrote to memory of 3516 1840 h2s.exe 106 PID 1840 wrote to memory of 3516 1840 h2s.exe 106 PID 1840 wrote to memory of 3516 1840 h2s.exe 106 PID 2520 wrote to memory of 4576 2520 9703a7ad5b71a87895c075c7fe087fed.exe 107 PID 2520 wrote to memory of 4576 2520 9703a7ad5b71a87895c075c7fe087fed.exe 107 PID 2520 wrote to memory of 4576 2520 9703a7ad5b71a87895c075c7fe087fed.exe 107 PID 4576 wrote to memory of 412 4576 lsass.exe 109 PID 4576 wrote to memory of 412 4576 lsass.exe 109 PID 4576 wrote to memory of 412 4576 lsass.exe 109 PID 1840 wrote to memory of 3100 1840 h2s.exe 111 PID 1840 wrote to memory of 3100 1840 h2s.exe 111 PID 1840 wrote to memory of 3100 1840 h2s.exe 111 PID 3100 wrote to memory of 4088 3100 nacl.exe 112 PID 3100 wrote to memory of 4088 3100 nacl.exe 112 PID 3100 wrote to memory of 4088 3100 nacl.exe 112 PID 1840 wrote to memory of 4832 1840 h2s.exe 114 PID 1840 wrote to memory of 4832 1840 h2s.exe 114 PID 1840 wrote to memory of 4832 1840 h2s.exe 114 PID 4832 wrote to memory of 3300 4832 lsass.exe 115 PID 4832 wrote to memory of 3300 4832 lsass.exe 115 PID 4832 wrote to memory of 3300 4832 lsass.exe 115 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" h2s.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" nacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" h2s.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9703a7ad5b71a87895c075c7fe087fed.exe"C:\Users\Admin\AppData\Local\Temp\9703a7ad5b71a87895c075c7fe087fed.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵PID:2176
-
-
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵PID:4168
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 6323⤵
- Program crash
PID:352
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵PID:2568
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer 9703a7ad5b71a87895c075c7fe087fed2⤵PID:3888
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵PID:3516
-
-
C:\WINDOWS\nacl.exeC:\WINDOWS\nacl.exe3⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3100 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵PID:4088
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵PID:3300
-
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵PID:412
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4904 -ip 49041⤵PID:2512
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3792
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55ac3ebbe736c35e4482520233567d79f
SHA11157dd90a5a4edd98b931e40903f0b07562f0dea
SHA2561900ed0daddae6fa0150982f8abe1cdf8e6f17583e5a78f94cb02d0c0dfda009
SHA512cb7e8c135d31694a55d8bfc095f0155be16a49020e351d05416e4147952ce3aa5286f6b41190ab800e40d6f419beac8beccb14af42f4c5e168884bec42a76bf7
-
Filesize
1KB
MD538a581cf5e81e70ede9cdf80ddca5367
SHA11e4eabf15a242060311a4b333f59d82b6c977107
SHA25656f1a52142a53f887c23656a1534bf08e9c194cf53b6939b6530b32f39741ac7
SHA5123519815d6f6042f3be94436453a65b264a4ad7e37e690d0ccb0533c8f6938bdb014940d90ca76741cf998a5982410b0652ecacb9886220cafc122109500de8e3
-
Filesize
1KB
MD51194a7387adde56cdb6a750824685512
SHA198e22523c2c28a1c3be17d8cfe0df942ccfcc698
SHA25616467c833048daf98940014822c542eb2df990830245cd74dd58a3be1b3f8181
SHA5121ebbd9f36b0be2d5bc9ef7b8d5e38e932d75ab618cca31186a0e98965018da34460b4109ab9a4315d936a53185c9c9757582a2d67fa3661134073205d0353a32
-
Filesize
1KB
MD5fc5f75899f96901d7b68297cab66fcbd
SHA14bdef6972e8ebb5cdc29c231290f0be1a93f240c
SHA256e1b152aa5d78cdfcd45a9fc1fe3864aee8292a2a1d0b39c6f31604e30147c864
SHA512a82cda8a81d4cecbd6f0f574b83d6d7d7818503eb747e33002c32bea5402e377fcb65961bc27e83a790356313375d62365ccb6b035a2f9477758126364d7e30d
-
Filesize
1KB
MD5db84a53c72865150995116f5c1896474
SHA11417aea39d8d9ef319198e0299b4382108ee6b9b
SHA256559ee41bec246292aea5faf13f3d6b9133e78261aa9ff7ac2fb7bd7c1f59d435
SHA512e729313b008cfd181b4fe74e619afa94a01710617ab5d7f444c500c137981e732f6571ee491691843459082acc3e80c0c9b7ddf0f78951bb721bc381d6c21dad
-
Filesize
1KB
MD526dbbfa4f4c4c5ac41a06b57220aa9c2
SHA1cf406eea6749431b44a7d5e5841acde17ae5b0f8
SHA2564c551a8d59f7ad842bc6bdf5ff4ec3839a36709404261667e7db33ceaadc6066
SHA512759cefb0878b96c8d220af87a1168bdd2f44b9c6ada0e222e6889348bd18dcfc3807791f5fcea5b21ef9386f6e2e624e0ce506fd1700c098767c75b69c3fa123
-
Filesize
1KB
MD5b13a05badede211a6809cbab2b1684cb
SHA1042c236774516a53871c3a0f27479e73b04cf9a7
SHA256f2bae983864e2244e327a9d2dad6ad86c21ce055184d761ec6586216a9348fa7
SHA5123d1a66983c067ababbcc5eb42bb079820c10e5e145e6ca4693fb7deb3ecdf2d8affb3bf6ca0f58b9ccda8daef74009da038a0495b0cf64a677b80a4b818cecc6
-
Filesize
1KB
MD53195bff646b36d30cecce13476b5fbaa
SHA19a8bba599a8a6249936dfc22628bf4b75d211240
SHA2560f0ad0df57c828a7b8c2fb59da778a2afca3ae06606f5e8d5829381a93480e99
SHA512ca35c6554fdee9d22896f4822c32f84867691f52f406862bc23e7f103224bc3f69edf595da19e762f98766c14fe5a22faf9359aa3ec1228079fc038f91db3fe5
-
Filesize
578B
MD54cedd41692993cf5a0a40baeb724b871
SHA1fc1eeb1d88966ea4a816bcbdab320830b6f70261
SHA256fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695
SHA512e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862
-
Filesize
456KB
MD59703a7ad5b71a87895c075c7fe087fed
SHA1728a63ce3de8598090ca25d47cab15259dd764a5
SHA256715e35291e79f3844dd2c2b6286c1adfb6ca4314186ed29251eb7720ccc29c90
SHA512ec9ed1cb45fa634d33e7ebffb7d2393ae104e5365789fc9f50e8fb2ebd5f1e5e8fef6c6128cb8d61b131f1a9d33fa17aed9d1df2cd03a42a54cbbbc70f82c8cd