Analysis Overview
SHA256
3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0c
Threat Level: Likely malicious
The file 3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Checks computer location settings
Executes dropped EXE
Deletes itself
Indicator Removal: File Deletion
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:38
Reported
2024-11-10 01:40
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
94s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\hauhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\hauhost.exe | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
| File opened for modification | C:\Windows\Debug\hauhost.exe | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
| File opened for modification | C:\Windows\Debug\hauhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\hauhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe
"C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\hauhost.exe
C:\Windows\Debug\hauhost.exe
C:\Windows\Debug\hauhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3AD4B2~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tDo3gTl3XI.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | acjR6elOC.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | IRcS47M8Q.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kzcoDY7Us8.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\Debug\hauhost.exe
| MD5 | 62d7f1549933b37fec8abe7fe99bc88f |
| SHA1 | 6b153e975cacb0a88dc0602054e6dce8c7229263 |
| SHA256 | fb7c6844e02f3f637b6b3c42fc2e8a98f5f9d567a2d401c4f75ca1ddc4b22db1 |
| SHA512 | 09cea6b328ff12f9f04361791580405e34e2a7f5184e5105c67e0b734812675afdb7ba94e740c031fed2d1be55c7b8f8793207148f9b3854c8f68fe0f546cccf |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:38
Reported
2024-11-10 01:40
Platform
win7-20240903-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\zskhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\zskhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\Debug\zskhost.exe | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
| File opened for modification | C:\Windows\Debug\zskhost.exe | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\zskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe
"C:\Users\Admin\AppData\Local\Temp\3ad4b2704dc7dd432f348157433878a89a05e562640930e3bdfe6960bccdbe0cN.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3AD4B2~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xaQe3Hyqr8.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | acjR6elOC.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | IRcS47M8Q.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | qhMXwh04zK.nnnn.eu.org | udp |
Files
C:\Windows\Debug\zskhost.exe
| MD5 | fcc82cd8b627616bf9318b871a6c4974 |
| SHA1 | 9051a2232d7f19cb1d55abc585e948ea27f9275b |
| SHA256 | 4e01eabb8231fe18aceb87bd81a485f9bccf192f5d00958498b3412fb9222523 |
| SHA512 | 880717b10f33f35c2ce9a9605eaac1739935764e3b15b9e6b9da891194ef299da26bda281c39d88e82cc7c491fe2a892b8611e42cdcbb695ff59eeabe4c6eb31 |