Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
84s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:36
Behavioral task
behavioral1
Sample
a9b79ea4ebc364778d7a234fb1802c80N.exe
Resource
win7-20240704-en
windows7-x64
17 signatures
120 seconds
Behavioral task
behavioral2
Sample
a9b79ea4ebc364778d7a234fb1802c80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
120 seconds
General
-
Target
a9b79ea4ebc364778d7a234fb1802c80N.exe
-
Size
472KB
-
MD5
a9b79ea4ebc364778d7a234fb1802c80
-
SHA1
e692cb70b4289dfc0a758c8cd134e17b36af77a8
-
SHA256
61a2be81c4b96cc8404bdf4ef1085445277de8d519459f5350dd0ca3fe47b98a
-
SHA512
3ea1efbe45450163d575502cadfbc6d9f3bb91df1629b50ad50a6d66c488e2d49a0b34e1d60345b0f9a55c156e88d13e61e40e5d77a145bd356bddbe87d10399
-
SSDEEP
12288:a5yUChnrsy/Ay4aUi8YRVkvtmFW/OZM9+1+gWQbHyuG9peWx5XyyzcW3bROnkgR:a5yUChrsYT8YRivyW/eMIFM900Xyy3bs
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" nacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe" h2s.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" h2s.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nacl.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts lsass.exe File opened for modification C:\WINDOWS\system32\drivers\etc\hosts nacl.exe -
Executes dropped EXE 6 IoCs
pid Process 1932 h2s.exe 4732 lsass.exe 4092 h2s.exe 2744 lsass.exe 1528 nacl.exe 2848 lsass.exe -
resource yara_rule behavioral2/memory/3944-0-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/files/0x0007000000023432-10.dat upx behavioral2/memory/1932-48-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/2744-74-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/3944-75-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/2848-95-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/4732-96-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/4092-97-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/1528-98-0x0000000000400000-0x0000000000476000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" h2s.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\nacl.exe" nacl.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\link.sys h2s.exe File opened for modification C:\WINDOWS\SysWOW64\link.sys h2s.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\WINDOWS\nacl.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\userinit.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\h2s.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File opened for modification C:\WINDOWS\h2s.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File opened for modification C:\WINDOWS\system\lsass.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\system\lsass.exe h2s.exe File opened for modification C:\WINDOWS\nacl.exe h2s.exe File opened for modification C:\WINDOWS\system\lsass.exe h2s.exe File opened for modification C:\WINDOWS\userinit.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\system\lsass.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\nacl.exe a9b79ea4ebc364778d7a234fb1802c80N.exe File created C:\WINDOWS\nacl.exe h2s.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1952 1932 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h2s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h2s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9b79ea4ebc364778d7a234fb1802c80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000001959914c1100557365727300640009000400efbe874f77481959914c2e000000c70500000000010000000000000000003a0000000000a8b7ef0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 8c003100000000001959914c10004139423739457e310000740009000400efbe1959914c1959914c2e0000002f340200000007000000000000000000000000000000a8b7ef00610039006200370039006500610034006500620063003300360034003700370038006400370061003200330034006600620031003800300032006300380030004e00000018000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000002596a6f100041646d696e003c0009000400efbe02597a631959914c2e00000075e1010000000100000000000000000000000000000005231c00410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000001959914c100054656d7000003a0009000400efbe02597a631959924c2e00000094e101000000010000000000000000000000000000000a4c0100540065006d007000000014000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 560031000000000002597a6312004170704461746100400009000400efbe02597a631959914c2e00000080e10100000001000000000000000000000000000000329320014100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000000259aa6510004c6f63616c003c0009000400efbe02597a631959914c2e00000093e101000000010000000000000000000000000000004ee145004c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2960 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1932 h2s.exe 1932 h2s.exe 4732 lsass.exe 4732 lsass.exe 4092 h2s.exe 4092 h2s.exe 2744 lsass.exe 2744 lsass.exe 4732 lsass.exe 4732 lsass.exe 4092 h2s.exe 4092 h2s.exe 1528 nacl.exe 1528 nacl.exe 2848 lsass.exe 2848 lsass.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe 4732 lsass.exe 4732 lsass.exe 1528 nacl.exe 1528 nacl.exe 4092 h2s.exe 4092 h2s.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 1932 h2s.exe 1932 h2s.exe 4732 lsass.exe 4732 lsass.exe 4092 h2s.exe 4092 h2s.exe 2744 lsass.exe 2744 lsass.exe 2960 explorer.exe 2960 explorer.exe 1528 nacl.exe 1528 nacl.exe 2848 lsass.exe 2848 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 2140 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 86 PID 3944 wrote to memory of 2140 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 86 PID 3944 wrote to memory of 2140 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 86 PID 3944 wrote to memory of 1932 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 88 PID 3944 wrote to memory of 1932 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 88 PID 3944 wrote to memory of 1932 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 88 PID 1932 wrote to memory of 4396 1932 h2s.exe 89 PID 1932 wrote to memory of 4396 1932 h2s.exe 89 PID 1932 wrote to memory of 4396 1932 h2s.exe 89 PID 2140 wrote to memory of 1048 2140 cmd.exe 91 PID 2140 wrote to memory of 1048 2140 cmd.exe 91 PID 2140 wrote to memory of 1048 2140 cmd.exe 91 PID 1048 wrote to memory of 3816 1048 net.exe 92 PID 1048 wrote to memory of 3816 1048 net.exe 92 PID 1048 wrote to memory of 3816 1048 net.exe 92 PID 4396 wrote to memory of 672 4396 cmd.exe 93 PID 4396 wrote to memory of 672 4396 cmd.exe 93 PID 4396 wrote to memory of 672 4396 cmd.exe 93 PID 672 wrote to memory of 2268 672 net.exe 94 PID 672 wrote to memory of 2268 672 net.exe 94 PID 672 wrote to memory of 2268 672 net.exe 94 PID 3944 wrote to memory of 4732 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 102 PID 3944 wrote to memory of 4732 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 102 PID 3944 wrote to memory of 4732 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 102 PID 4732 wrote to memory of 4464 4732 lsass.exe 103 PID 4732 wrote to memory of 4464 4732 lsass.exe 103 PID 4732 wrote to memory of 4464 4732 lsass.exe 103 PID 4464 wrote to memory of 892 4464 cmd.exe 105 PID 4464 wrote to memory of 892 4464 cmd.exe 105 PID 4464 wrote to memory of 892 4464 cmd.exe 105 PID 892 wrote to memory of 1548 892 net.exe 106 PID 892 wrote to memory of 1548 892 net.exe 106 PID 892 wrote to memory of 1548 892 net.exe 106 PID 3944 wrote to memory of 2608 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 108 PID 3944 wrote to memory of 2608 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 108 PID 3944 wrote to memory of 2608 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 108 PID 3944 wrote to memory of 4092 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 109 PID 3944 wrote to memory of 4092 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 109 PID 3944 wrote to memory of 4092 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 109 PID 4092 wrote to memory of 4860 4092 h2s.exe 111 PID 4092 wrote to memory of 4860 4092 h2s.exe 111 PID 4092 wrote to memory of 4860 4092 h2s.exe 111 PID 3944 wrote to memory of 2744 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 112 PID 3944 wrote to memory of 2744 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 112 PID 3944 wrote to memory of 2744 3944 a9b79ea4ebc364778d7a234fb1802c80N.exe 112 PID 2744 wrote to memory of 4496 2744 lsass.exe 114 PID 2744 wrote to memory of 4496 2744 lsass.exe 114 PID 2744 wrote to memory of 4496 2744 lsass.exe 114 PID 4860 wrote to memory of 3396 4860 cmd.exe 116 PID 4860 wrote to memory of 3396 4860 cmd.exe 116 PID 4860 wrote to memory of 3396 4860 cmd.exe 116 PID 3396 wrote to memory of 3992 3396 net.exe 117 PID 3396 wrote to memory of 3992 3396 net.exe 117 PID 3396 wrote to memory of 3992 3396 net.exe 117 PID 4496 wrote to memory of 2816 4496 cmd.exe 118 PID 4496 wrote to memory of 2816 4496 cmd.exe 118 PID 4496 wrote to memory of 2816 4496 cmd.exe 118 PID 2816 wrote to memory of 4304 2816 net.exe 119 PID 2816 wrote to memory of 4304 2816 net.exe 119 PID 2816 wrote to memory of 4304 2816 net.exe 119 PID 4092 wrote to memory of 1528 4092 h2s.exe 121 PID 4092 wrote to memory of 1528 4092 h2s.exe 121 PID 4092 wrote to memory of 1528 4092 h2s.exe 121 PID 1528 wrote to memory of 3548 1528 nacl.exe 122 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" h2s.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" h2s.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" nacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0" nacl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9b79ea4ebc364778d7a234fb1802c80N.exe"C:\Users\Admin\AppData\Local\Temp\a9b79ea4ebc364778d7a234fb1802c80N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
PID:3816
-
-
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵
- System Location Discovery: System Language Discovery
PID:2268
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 6443⤵
- Program crash
PID:1952
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4732 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵
- System Location Discovery: System Language Discovery
PID:1548
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer a9b79ea4ebc364778d7a234fb1802c80N2⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\WINDOWS\h2s.exeC:\WINDOWS\h2s.exe2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
-
C:\WINDOWS\nacl.exeC:\WINDOWS\nacl.exe3⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1528 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵
- System Location Discovery: System Language Discovery
PID:3548
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &4⤵
- System Location Discovery: System Language Discovery
PID:712
-
-
-
-
C:\WINDOWS\system\lsass.exeC:\WINDOWS\system\lsass.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /k net share "phim_hai_hay=C:\Documents and Settings\Temp" & exit &3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\net.exenet share "phim_hai_hay=C:\Documents and Settings\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share "phim_hai_hay=C:\Documents and Settings\Temp"5⤵
- System Location Discovery: System Language Discovery
PID:4304
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1932 -ip 19321⤵PID:2168
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
578B
MD54cedd41692993cf5a0a40baeb724b871
SHA1fc1eeb1d88966ea4a816bcbdab320830b6f70261
SHA256fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695
SHA512e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862
-
Filesize
472KB
MD5a9b79ea4ebc364778d7a234fb1802c80
SHA1e692cb70b4289dfc0a758c8cd134e17b36af77a8
SHA25661a2be81c4b96cc8404bdf4ef1085445277de8d519459f5350dd0ca3fe47b98a
SHA5123ea1efbe45450163d575502cadfbc6d9f3bb91df1629b50ad50a6d66c488e2d49a0b34e1d60345b0f9a55c156e88d13e61e40e5d77a145bd356bddbe87d10399