Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 09:10
Static task
static1
Behavioral task
behavioral1
Sample
5c75e51ab6ae8e25a0486c7075de79f0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5c75e51ab6ae8e25a0486c7075de79f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
5c75e51ab6ae8e25a0486c7075de79f0N.exe
-
Size
75KB
-
MD5
5c75e51ab6ae8e25a0486c7075de79f0
-
SHA1
dc1625bdd22e050344b86e8931f4665ae3d5ec6f
-
SHA256
199d082704d404044333ff2e9e86ce545827ebe866f92a8225f787da3436805b
-
SHA512
1dc7600d6935e00197c89930f44231e67f20119f90e7b448115ad252c75a0ea96282318a666852cb4e3b13db00f532dde9b1d915bea07ca0103501ee817faa03
-
SSDEEP
768:OrItKyw5WHXfQmjIiIk9ecAakMb96ZyXuDLdibfffsffff2ZZZZnAAAr:Or3Z5IfQmv81abyyXcZibfffsffffT
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 224 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 5c75e51ab6ae8e25a0486c7075de79f0N.exe -
Executes dropped EXE 1 IoCs
pid Process 336 hauhost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Debug\hauhost.exe 5c75e51ab6ae8e25a0486c7075de79f0N.exe File opened for modification C:\Windows\Debug\hauhost.exe 5c75e51ab6ae8e25a0486c7075de79f0N.exe File opened for modification C:\Windows\Debug\hauhost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c75e51ab6ae8e25a0486c7075de79f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hauhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4076 wrote to memory of 224 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe 83 PID 4076 wrote to memory of 224 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe 83 PID 4076 wrote to memory of 224 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe 83 PID 4076 wrote to memory of 4436 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe 89 PID 4076 wrote to memory of 4436 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe 89 PID 4076 wrote to memory of 4436 4076 5c75e51ab6ae8e25a0486c7075de79f0N.exe 89 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c75e51ab6ae8e25a0486c7075de79f0N.exe"C:\Users\Admin\AppData\Local\Temp\5c75e51ab6ae8e25a0486c7075de79f0N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\hauhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5C75E5~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4436
-
-
C:\Windows\Debug\hauhost.exeC:\Windows\Debug\hauhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD57454c1ae5dd7a7ca30ee235ed37865fb
SHA17c5fb1922c96e0b4585168b2b206b66358ead1f1
SHA2569d3f093909498e16ac9066312231e1345213d738d4f67d2f291504b010941d4b
SHA51284d0b34f10221ee4acc698101645b2bce7e669271cd752ab796d9752c0be7b07035308d2b3e780e6b52a5bad1fc6bfba27503b8d378a6039fe0f552fc24355d6