Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:36
Behavioral task
behavioral1
Sample
a9b79ea4ebc364778d7a234fb1802c80N.exe
Resource
win7-20240704-en
windows7-x64
17 signatures
120 seconds
Behavioral task
behavioral2
Sample
a9b79ea4ebc364778d7a234fb1802c80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
120 seconds
General
-
Target
a9b79ea4ebc364778d7a234fb1802c80N.exe
-
Size
472KB
-
MD5
a9b79ea4ebc364778d7a234fb1802c80
-
SHA1
e692cb70b4289dfc0a758c8cd134e17b36af77a8
-
SHA256
61a2be81c4b96cc8404bdf4ef1085445277de8d519459f5350dd0ca3fe47b98a
-
SHA512
3ea1efbe45450163d575502cadfbc6d9f3bb91df1629b50ad50a6d66c488e2d49a0b34e1d60345b0f9a55c156e88d13e61e40e5d77a145bd356bddbe87d10399
-
SSDEEP
12288:a5yUChnrsy/Ay4aUi8YRVkvtmFW/OZM9+1+gWQbHyuG9peWx5XyyzcW3bROnkgR:a5yUChrsYT8YRivyW/eMIFM900Xyy3bs
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" h2s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" nacl.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" h2s.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nacl.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts lsass.exe File opened for modification C:\WINDOWS\system32\drivers\etc\hosts nacl.exe -
Executes dropped EXE 6 IoCs
pid Process 2216 h2s.exe 2920 lsass.exe 1620 h2s.exe 2416 nacl.exe 1420 lsass.exe 2036 lsass.exe -
Loads dropped DLL 4 IoCs
pid Process 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 2216 h2s.exe -
resource yara_rule behavioral1/memory/1624-0-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/files/0x00060000000174d0-8.dat upx behavioral1/memory/1624-23-0x0000000002590000-0x0000000002606000-memory.dmp upx behavioral1/memory/1624-63-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1620-70-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1420-69-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/2416-68-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/2216-81-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/2036-89-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1624-90-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1420-71-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/2920-92-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/2416-93-0x0000000000400000-0x0000000000476000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" h2s.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" nacl.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\WINDOWS\nacl.exe h2s.exe File opened for modification C:\WINDOWS\h2s.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File opened for modification C:\WINDOWS\nacl.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\system\lsass.exe h2s.exe File created C:\WINDOWS\system\lsass.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File opened for modification C:\WINDOWS\system\lsass.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\nacl.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\nacl.exe h2s.exe File opened for modification C:\WINDOWS\system\lsass.exe h2s.exe File created C:\WINDOWS\userinit.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File opened for modification C:\WINDOWS\userinit.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\h2s.exe a9b79ea4ebc364778d7a234fb1802c80N.exe -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9b79ea4ebc364778d7a234fb1802c80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h2s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h2s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 37 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5200310000000000e4580384122041707044617461003c0008000400efbee4580384e45803842a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000e458c58610204c6f63616c00380008000400efbee4580384e458c5862a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000001959924c1100557365727300600008000400efbeee3a851a1959924c2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000001959924c102054656d700000360008000400efbee45803841959924c2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 88003100000000001959924c10204139423739457e310000700008000400efbe1959924c1959924c2a0000002b720100000007000000000000000000000000000000610039006200370039006500610034006500620063003300360034003700370038006400370061003200330034006600620031003800300032006300380030004e00000018000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000e458148f100041646d696e00380008000400efbee4580284e458148f2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 h2s.exe 2920 lsass.exe 2216 h2s.exe 1620 h2s.exe 1420 lsass.exe 2920 lsass.exe 2416 nacl.exe 2036 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe 2416 nacl.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2920 lsass.exe 2216 h2s.exe 2416 nacl.exe 2216 h2s.exe 2920 lsass.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 2216 h2s.exe 2216 h2s.exe 2920 lsass.exe 2920 lsass.exe 1620 h2s.exe 1620 h2s.exe 1420 lsass.exe 1420 lsass.exe 2416 nacl.exe 2416 nacl.exe 2036 lsass.exe 2036 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 1096 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 30 PID 1624 wrote to memory of 1096 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 30 PID 1624 wrote to memory of 1096 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 30 PID 1624 wrote to memory of 1096 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 30 PID 1624 wrote to memory of 2216 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 32 PID 1624 wrote to memory of 2216 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 32 PID 1624 wrote to memory of 2216 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 32 PID 1624 wrote to memory of 2216 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 32 PID 1096 wrote to memory of 2728 1096 cmd.exe 33 PID 1096 wrote to memory of 2728 1096 cmd.exe 33 PID 1096 wrote to memory of 2728 1096 cmd.exe 33 PID 1096 wrote to memory of 2728 1096 cmd.exe 33 PID 2216 wrote to memory of 2792 2216 h2s.exe 34 PID 2216 wrote to memory of 2792 2216 h2s.exe 34 PID 2216 wrote to memory of 2792 2216 h2s.exe 34 PID 2216 wrote to memory of 2792 2216 h2s.exe 34 PID 2728 wrote to memory of 2636 2728 net.exe 36 PID 2728 wrote to memory of 2636 2728 net.exe 36 PID 2728 wrote to memory of 2636 2728 net.exe 36 PID 2728 wrote to memory of 2636 2728 net.exe 36 PID 1624 wrote to memory of 2920 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 37 PID 1624 wrote to memory of 2920 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 37 PID 1624 wrote to memory of 2920 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 37 PID 1624 wrote to memory of 2920 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 37 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2720 wrote to memory of 2376 2720 net.exe 39 PID 2720 wrote to memory of 2376 2720 net.exe 39 PID 2720 wrote to memory of 2376 2720 net.exe 39 PID 2720 wrote to memory of 2376 2720 net.exe 39 PID 2920 wrote to memory of 2540 2920 lsass.exe 40 PID 2920 wrote to memory of 2540 2920 lsass.exe 40 PID 2920 wrote to memory of 2540 2920 lsass.exe 40 PID 2920 wrote to memory of 2540 2920 lsass.exe 40 PID 2540 wrote to memory of 2588 2540 cmd.exe 42 PID 2540 wrote to memory of 2588 2540 cmd.exe 42 PID 2540 wrote to memory of 2588 2540 cmd.exe 42 PID 2540 wrote to memory of 2588 2540 cmd.exe 42 PID 2588 wrote to memory of 3004 2588 net.exe 43 PID 2588 wrote to memory of 3004 2588 net.exe 43 PID 2588 wrote to memory of 3004 2588 net.exe 43 PID 2588 wrote to memory of 3004 2588 net.exe 43 PID 1624 wrote to memory of 576 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 45 PID 1624 wrote to memory of 576 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 45 PID 1624 wrote to memory of 576 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 45 PID 1624 wrote to memory of 576 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 45 PID 1624 wrote to memory of 1620 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 46 PID 1624 wrote to memory of 1620 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 46 PID 1624 wrote to memory of 1620 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 46 PID 1624 wrote to memory of 1620 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 46 PID 2216 wrote to memory of 2416 2216 h2s.exe 48 PID 2216 wrote to memory of 2416 2216 h2s.exe 48 PID 2216 wrote to memory of 2416 2216 h2s.exe 48 PID 2216 wrote to memory of 2416 2216 h2s.exe 48 PID 1620 wrote to memory of 1508 1620 h2s.exe 49 PID 1620 wrote to memory of 1508 1620 h2s.exe 49 PID 1620 wrote to memory of 1508 1620 h2s.exe 49 PID 1620 wrote to memory of 1508 1620 h2s.exe 49 PID 1624 wrote to memory of 1420 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 50 PID 1624 wrote to memory of 1420 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 50 PID 1624 wrote to memory of 1420 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 50 PID 1624 wrote to memory of 1420 1624 a9b79ea4ebc364778d7a234fb1802c80N.exe 50 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" h2s.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" nacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9b79ea4ebc364778d7a234fb1802c80N.exe"C:\Users\Admin\AppData\Local\Temp\a9b79ea4ebc364778d7a234fb1802c80N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
-
C:\WINDOWS\nacl.exeC:\WINDOWS\nacl.exe3⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2416 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer a9b79ea4ebc364778d7a234fb1802c80N2⤵
- System Location Discovery: System Language Discovery
PID:576
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
PID:1508
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1420 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
PID:1724
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2768
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
578B
MD54cedd41692993cf5a0a40baeb724b871
SHA1fc1eeb1d88966ea4a816bcbdab320830b6f70261
SHA256fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695
SHA512e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862
-
Filesize
472KB
MD5a9b79ea4ebc364778d7a234fb1802c80
SHA1e692cb70b4289dfc0a758c8cd134e17b36af77a8
SHA25661a2be81c4b96cc8404bdf4ef1085445277de8d519459f5350dd0ca3fe47b98a
SHA5123ea1efbe45450163d575502cadfbc6d9f3bb91df1629b50ad50a6d66c488e2d49a0b34e1d60345b0f9a55c156e88d13e61e40e5d77a145bd356bddbe87d10399