Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:39
Behavioral task
behavioral1
Sample
f6f44d2f2611e1cad033394146808250N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f6f44d2f2611e1cad033394146808250N.exe
Resource
win10v2004-20240802-en
General
-
Target
f6f44d2f2611e1cad033394146808250N.exe
-
Size
163KB
-
MD5
f6f44d2f2611e1cad033394146808250
-
SHA1
1dff810cee8116696019f954b28b90cdb2b95dde
-
SHA256
2c5521cb43cbc111995c9175a8da0df092bca37d8bf830544e42d98dbabf95a8
-
SHA512
e7130ce13a32e3c59b4fb959606109a5abc3d8ee4940d97cde7970a8424d8e47f0a0efd3c205bda39899a8cf406f6a89582cfd1dac5fea818f8638fd47ec30da
-
SSDEEP
1536:kVdmQr3Z5IfQmv81aypP1s3yX+tlehTzk:008JOfQm01F9s3yX+fehTY
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1884 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation f6f44d2f2611e1cad033394146808250N.exe -
Executes dropped EXE 1 IoCs
pid Process 4580 hauhost.exe -
resource yara_rule behavioral2/memory/2224-0-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/files/0x000b0000000233dc-3.dat upx behavioral2/memory/2224-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4580-6-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Debug\hauhost.exe f6f44d2f2611e1cad033394146808250N.exe File opened for modification C:\Windows\Debug\hauhost.exe f6f44d2f2611e1cad033394146808250N.exe File opened for modification C:\Windows\Debug\hauhost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6f44d2f2611e1cad033394146808250N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hauhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 hauhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz hauhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2224 f6f44d2f2611e1cad033394146808250N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2224 wrote to memory of 1884 2224 f6f44d2f2611e1cad033394146808250N.exe 84 PID 2224 wrote to memory of 1884 2224 f6f44d2f2611e1cad033394146808250N.exe 84 PID 2224 wrote to memory of 1884 2224 f6f44d2f2611e1cad033394146808250N.exe 84 PID 2224 wrote to memory of 3660 2224 f6f44d2f2611e1cad033394146808250N.exe 90 PID 2224 wrote to memory of 3660 2224 f6f44d2f2611e1cad033394146808250N.exe 90 PID 2224 wrote to memory of 3660 2224 f6f44d2f2611e1cad033394146808250N.exe 90 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1884 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6f44d2f2611e1cad033394146808250N.exe"C:\Users\Admin\AppData\Local\Temp\f6f44d2f2611e1cad033394146808250N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\hauhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F6F44D~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Windows\Debug\hauhost.exeC:\Windows\Debug\hauhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD55c4fbebfb83ea3e4051cb67a592d2ea6
SHA1ce1f6176b2941bacf37bd3a7d03c492726451522
SHA2567ffdba7c37d9ea6bf6e457215618e5420e0a6a54ffec2839f58c7ac47e672823
SHA512bfb38e9489c23d733df5f47b2bd93118ceae0958a4d55ed88d4378b69876d4d2d5e12f7f01aa502cd3b69129a4408264b9e0b46381795798572b885a30719f24