2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782

General

Target

2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
Size

1.4MB
MD5

7530d3c0e0b2d245a78091014383f227
SHA1

413307782370f118d39db1b9c2146f36f9931757
SHA256

2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782
SHA512

16604e2dd3e7712c18a4a3058560d3852cc742c7861e7a43cf49d54b7dd9458067c06a07c588ddda2e57936f96eab73be4ed9ddfa67b206dc58c193797028a3d
SSDEEP

24576:PrJlZdeqazuBV5JBdcXxuDbdIbbgbw26VCl5ciXqE94H3k8xPttZ2:PrJlZMqvVLBehK4K9ZcJ3ksD2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4016	zhab.exe
4836	33.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	33.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qmgr.dll	33.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\33.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File created	C:\Windows\zhab.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File opened for modification	C:\Windows\zhab.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240595312	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
File created	C:\Windows\33.exe	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4016	zhab.exe
4016	zhab.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4016	3240	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	84
PID 3240 wrote to memory of 4016	3240	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	84
PID 3240 wrote to memory of 4016	3240	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	84
PID 3240 wrote to memory of 4836	3240	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	85
PID 3240 wrote to memory of 4836	3240	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	85
PID 3240 wrote to memory of 4836	3240	2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe	85
PID 4836 wrote to memory of 3376	4836	33.exe	88
PID 4836 wrote to memory of 3376	4836	33.exe	88
PID 4836 wrote to memory of 3376	4836	33.exe	88

C:\Users\Admin\AppData\Local\Temp\2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe
"C:\Users\Admin\AppData\Local\Temp\2462954efad889ee0c73178d9d7c51d6a5078760a2dc3025a45e9b7ae1d8d782.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3240
- C:\WINDOWS\zhab.exe
  "C:\WINDOWS\zhab.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4016
- C:\WINDOWS\33.exe
  "C:\WINDOWS\33.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempDel.bat" "
    3⤵
    PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempDel.bat

Filesize
133B

MD5
9db547ff462ded9d4b498865e458daa1

SHA1
e5ba84b60acd01fa0f8d8fe1edb94d957087c6a1

SHA256
8f196da04156f6f4ca616487f642ed19391db34ac602fc1aaef9f612f25406e1

SHA512
a410984d6fb57e7874d7a757f89845e98764d3e4b12d0a0a63525a6b322fdbf2715c8a43dd3eddbfeae3ab0f6bc6d807952976e3c56fbbff7ecfbdea038b1656

Download Submit
C:\WINDOWS\33.exe

Filesize
13KB

MD5
15706b13f494532445fc4b82a6bb9307

SHA1
6b0eee851fc18088c5c92479656141e857f50bb2

SHA256
3579a24c0e56df25ca909781448db207b4dd4ef6d4101a0c59e4167bd1d90380

SHA512
440573b3aa0a1cc11a50f7340d9d5ab39c6c1c4327662145b5e2e3d8eecb7bbbccbb2d5118927459c324fb08cf2461df192f5f7d0257e7afbbba937f6f6e63ee

Download Submit
C:\WINDOWS\zhab.exe

Filesize
1.3MB

MD5
6355f266515eb121cd65ea1277e7da15

SHA1
c2edf4d87d68c96ba64cb2d281245e46691f79a6

SHA256
36d430d363616e7c60f9333dc0ac26442b84b862717ae432e0581d8942809514

SHA512
ecfa8ed832bf9b0ca0d3e4458d40c3d4023f64b9fe84f1c619a2fdd22aaa08bb4a6b69cb2e362ba47d9ab200116b81a7332de1d5944af3e374ab942b02a091d7

Download Submit
C:\Windows\33.exe

Filesize
13KB

MD5
15706b13f494532445fc4b82a6bb9307

SHA1
6b0eee851fc18088c5c92479656141e857f50bb2

SHA256
3579a24c0e56df25ca909781448db207b4dd4ef6d4101a0c59e4167bd1d90380

SHA512
440573b3aa0a1cc11a50f7340d9d5ab39c6c1c4327662145b5e2e3d8eecb7bbbccbb2d5118927459c324fb08cf2461df192f5f7d0257e7afbbba937f6f6e63ee

Download Submit
C:\Windows\zhab.exe

Filesize
1.3MB

MD5
6355f266515eb121cd65ea1277e7da15

SHA1
c2edf4d87d68c96ba64cb2d281245e46691f79a6

SHA256
36d430d363616e7c60f9333dc0ac26442b84b862717ae432e0581d8942809514

SHA512
ecfa8ed832bf9b0ca0d3e4458d40c3d4023f64b9fe84f1c619a2fdd22aaa08bb4a6b69cb2e362ba47d9ab200116b81a7332de1d5944af3e374ab942b02a091d7

Download Submit
memory/4836-138-0x0000000000600000-0x0000000000607000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing