2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782

General

Target

2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
Size

1.4MB
MD5

7530d3c0e0b2d245a78091014383f227
SHA1

413307782370f118d39db1b9c2146f36f9931757
SHA256

2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782
SHA512

16604e2dd3e7712c18a4a3058560d3852cc742c7861e7a43cf49d54b7dd9458067c06a07c588ddda2e57936f96eab73be4ed9ddfa67b206dc58c193797028a3d
SSDEEP

24576:PrJlZdeqazuBV5JBdcXxuDbdIbbgbw26VCl5ciXqE94H3k8xPttZ2:PrJlZMqvVLBehK4K9ZcJ3ksD2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
892	zhab.exe
960	33.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\33.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File opened for modification	C:\Windows\33.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File created	C:\Windows\zhab.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File opened for modification	C:\Windows\zhab.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7088404	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	960	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	zhab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
892	zhab.exe
892	zhab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 892	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	28
PID 1572 wrote to memory of 892	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	28
PID 1572 wrote to memory of 892	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	28
PID 1572 wrote to memory of 892	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	28
PID 1572 wrote to memory of 960	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	29
PID 1572 wrote to memory of 960	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	29
PID 1572 wrote to memory of 960	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	29
PID 1572 wrote to memory of 960	1572	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	29
PID 960 wrote to memory of 1736	960	33.exe	30
PID 960 wrote to memory of 1736	960	33.exe	30
PID 960 wrote to memory of 1736	960	33.exe	30
PID 960 wrote to memory of 1736	960	33.exe	30

C:\Users\Admin\AppData\Local\Temp\2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
"C:\Users\Admin\AppData\Local\Temp\2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572
- C:\WINDOWS\zhab.exe
  "C:\WINDOWS\zhab.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:892
- C:\WINDOWS\33.exe
  "C:\WINDOWS\33.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 152
    3⤵
    - Program crash
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\zhab.exe

Filesize
1.3MB

MD5
6355f266515eb121cd65ea1277e7da15

SHA1
c2edf4d87d68c96ba64cb2d281245e46691f79a6

SHA256
36d430d363616e7c60f9333dc0ac26442b84b862717ae432e0581d8942809514

SHA512
ecfa8ed832bf9b0ca0d3e4458d40c3d4023f64b9fe84f1c619a2fdd22aaa08bb4a6b69cb2e362ba47d9ab200116b81a7332de1d5944af3e374ab942b02a091d7

Download Submit
C:\Windows\33.exe

Filesize
13KB

MD5
15706b13f494532445fc4b82a6bb9307

SHA1
6b0eee851fc18088c5c92479656141e857f50bb2

SHA256
3579a24c0e56df25ca909781448db207b4dd4ef6d4101a0c59e4167bd1d90380

SHA512
440573b3aa0a1cc11a50f7340d9d5ab39c6c1c4327662145b5e2e3d8eecb7bbbccbb2d5118927459c324fb08cf2461df192f5f7d0257e7afbbba937f6f6e63ee

Download Submit
C:\Windows\zhab.exe

Filesize
1.3MB

MD5
6355f266515eb121cd65ea1277e7da15

SHA1
c2edf4d87d68c96ba64cb2d281245e46691f79a6

SHA256
36d430d363616e7c60f9333dc0ac26442b84b862717ae432e0581d8942809514

SHA512
ecfa8ed832bf9b0ca0d3e4458d40c3d4023f64b9fe84f1c619a2fdd22aaa08bb4a6b69cb2e362ba47d9ab200116b81a7332de1d5944af3e374ab942b02a091d7

Download Submit
memory/960-65-0x00000000011E0000-0x00000000011E7000-memory.dmp

Filesize
28KB

Download
memory/1572-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1572-59-0x00000000007A0000-0x00000000007A7000-memory.dmp

Filesize
28KB

Download
memory/1572-61-0x00000000007A0000-0x00000000007A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing