Overview

overview

7

Static

static

3

153e4ba253...52.exe

windows7-x64

7

153e4ba253...52.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2023 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    153e4ba2532c3d80ec966eb0f6b5c9cf351ca56b117aa0543c7d7aea6ddc7252.exe

  • Size

    199KB

  • MD5

    e16a22df59da57a60b17501d9869da14

  • SHA1

    7275dbc7901b7f8975fd01f9dcd607491719932e

  • SHA256

    153e4ba2532c3d80ec966eb0f6b5c9cf351ca56b117aa0543c7d7aea6ddc7252

  • SHA512

    05ff0c3c1b3548738bd85539340b725945c6d22877e012b8d295922b830de755aba634e2df4adcf22f7f539d9674eda09f0bbc5cde4ed9308d2172acb06e750f

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO0:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX9

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\153e4ba2532c3d80ec966eb0f6b5c9cf351ca56b117aa0543c7d7aea6ddc7252.exe
    "C:\Users\Admin\AppData\Local\Temp\153e4ba2532c3d80ec966eb0f6b5c9cf351ca56b117aa0543c7d7aea6ddc7252.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\153E4B~1.EXE > nul
      2⤵
        PID:2920
    • C:\Windows\Debug\hauhost.exe
      C:\Windows\Debug\hauhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\hauhost.exe
      Filesize

      199KB

      MD5

      b89038332807d5317a4a21456b3a8982

      SHA1

      eafe0fd02af000057606ad4da3f9ed8cc3519438

      SHA256

      250ac2c6de6f473fc5cb904376e6609c5b3ed4cf50f12b37b45f36066f99a2d7

      SHA512

      d2ac357cdb93867f0f1a902ff589e40aec8c0d5a7ec6aff4be2dd4e1f2865d6987f2b35dca5fc2c29e3cbf2cc247a9ce5b717b4419a4a78f40f9a0f0bb5af2b7

      Download Submit

    • C:\Windows\debug\hauhost.exe
      Filesize

      199KB

      MD5

      b89038332807d5317a4a21456b3a8982

      SHA1

      eafe0fd02af000057606ad4da3f9ed8cc3519438

      SHA256

      250ac2c6de6f473fc5cb904376e6609c5b3ed4cf50f12b37b45f36066f99a2d7

      SHA512

      d2ac357cdb93867f0f1a902ff589e40aec8c0d5a7ec6aff4be2dd4e1f2865d6987f2b35dca5fc2c29e3cbf2cc247a9ce5b717b4419a4a78f40f9a0f0bb5af2b7

      Download Submit