hh[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

hh.exe
Size

3.4MB
MD5

883096b1b10a19ec97447f8cc29bc970
SHA1

72d716b559c3fcbaa58a969e18f033473e73e81c
SHA256

623e8e38585c0f575d05e59b7e89a52772fe8eb518f08b6f34c2170a07268363
SHA512

bbf367ac36e44df4d536da843ed62fc61bf653227bffb175e5707469006e0166f68a41d92a1a886cbaa9ad2a53419c26b2796d852fe1a51bb1c17a40918dd8d4
SSDEEP

49152:2DeJ/HnMnue2xQeVWGd6El/zKqGWDTgkZ9JbYM+KtVsA10lDrtuGeGkJ:25+nGWfgQJVhFGkJ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
hh.exe

Files

hh.exe
.exe windows:6 windows x64 arch:x64

d34deb3402eb76044a54e97a85335373

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

SetThreadToken
RevertToSelf
OpenProcessToken
GetTokenInformation
LookupAccountSidW
LookupPrivilegeValueW
AdjustTokenPrivileges
GetSidSubAuthorityCount
GetSidSubAuthority
DuplicateTokenEx
InitializeSecurityDescriptor
CreateProcessWithTokenW
SystemFunction036
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

gdi32

CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
GetDIBits
DeleteDC
DeleteObject

kernel32

GetLastError
AddVectoredExceptionHandler
SetThreadStackGuarantee
FindClose
AcquireSRWLockExclusive
TerminateProcess
WaitForSingleObject
GetExitCodeProcess
UnregisterWaitEx
GetCurrentProcess
OpenProcess
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
CloseHandle
LocalAlloc
CreateToolhelp32Snapshot
Process32First
Process32Next
CreatePipe
GetSystemDirectoryW
ReadFile
GetSystemInfo
WakeAllConditionVariable
ReleaseSRWLockExclusive
LoadLibraryA
GetProcAddress
VirtualAlloc
FreeLibrary
GetModuleHandleA
LoadLibraryW
VirtualFree
HeapReAlloc
WaitForSingleObjectEx
GetCurrentProcessId
CreateMutexA
ReleaseMutex
RtlLookupFunctionEntry
GetCurrentThread
RtlCaptureContext
SwitchToThread
SetLastError
GetFinalPathNameByHandleW
TryAcquireSRWLockExclusive
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
HeapAlloc
GetProcessHeap
HeapFree
SetHandleInformation
GetStdHandle
GetConsoleMode
MultiByteToWideChar
WriteConsoleW
CreateWaitableTimerExW
SetWaitableTimer
Sleep
QueryPerformanceFrequency
GetModuleHandleW
FormatMessageW
GetEnvironmentVariableW
CreateFileW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFullPathNameW
SetFilePointerEx
FindNextFileW
FindFirstFileW
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetModuleFileNameW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlVirtualUnwind
AcquireSRWLockShared
ReleaseSRWLockShared
SleepConditionVariableSRW
WakeConditionVariable
PostQueuedCompletionStatus
SetConsoleCtrlHandler
LocalFree
lstrlenW
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
WideCharToMultiByte
SystemTimeToFileTime
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
DeleteFileW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RaiseException
EncodePointer
RtlUnwindEx
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlPcToFileHeader

ole32

CoTaskMemFree

shell32

SHGetKnownFolderPath

user32

SetProcessDPIAware
GetDesktopWindow
GetDC
GetSystemMetrics
ReleaseDC

crypt32

CertFreeCertificateChain
CertFreeCertificateContext
CertDuplicateCertificateContext
CryptUnprotectData
CertOpenStore
CertDuplicateCertificateChain
CertDuplicateStore
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertCloseStore

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

oleaut32

SafeArrayUnaccessData
SafeArrayGetUBound
SysStringLen
GetErrorInfo
SysFreeString
SafeArrayGetLBound
SafeArrayCreate
SafeArrayCreateVector
SafeArrayPutElement
SafeArrayAccessData
SysAllocStringLen

bcrypt

BCryptGenRandom

ws2_32

WSACleanup
recv
WSAIoctl
getsockopt
connect
getaddrinfo
freeaddrinfo
setsockopt
WSAGetLastError
getpeername
ioctlsocket
WSASocketW
WSASend
shutdown
send
bind
WSAStartup
getsockname
closesocket

ntdll

NtCancelIoFileEx
NtWriteFile
RtlNtStatusToDosError
NtCreateFile
NtDeviceIoControlFile
NtReadFile

secur32

DeleteSecurityContext
FreeCredentialsHandle
InitializeSecurityContextW
EncryptMessage
FreeContextBuffer
AcquireCredentialsHandleA
DecryptMessage
ApplyControlToken
AcceptSecurityContext
QueryContextAttributesW

api-ms-win-crt-string-l1-1-0

strncmp
wcsncmp
wcslen
strcmp
strcspn
strlen
strcpy_s

api-ms-win-crt-math-l1-1-0

log
__setusermatherr
_dclass
roundf
pow

api-ms-win-crt-heap-l1-1-0

calloc
_set_new_mode
realloc
_msize
malloc
free

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-runtime-l1-1-0

_cexit
__p___argv
__p___argc
_exit
exit
_initterm_e
_register_thread_local_exe_atexit_callback
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_set_app_type
_seh_filter_exe
_initialize_onexit_table
_beginthreadex
_register_onexit_function
terminate
_crt_atexit
_c_exit
abort
_initterm
_endthreadex

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 825KB - Virtual size: 825KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 73KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d34deb3402eb76044a54e97a85335373

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

gdi32

kernel32

ole32

shell32

user32

crypt32

userenv

oleaut32

bcrypt

ws2_32

ntdll

secur32

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 2.5MB - Virtual size: 2.5MB

.rdata Size: 825KB - Virtual size: 825KB

.data Size: 21KB - Virtual size: 25KB

.pdata Size: 73KB - Virtual size: 72KB

_RDATA Size: 512B - Virtual size: 500B

.reloc Size: 19KB - Virtual size: 19KB

.text
Size: 2.5MB - Virtual size: 2.5MB

.rdata
Size: 825KB - Virtual size: 825KB

.data
Size: 21KB - Virtual size: 25KB

.pdata
Size: 73KB - Virtual size: 72KB

_RDATA
Size: 512B - Virtual size: 500B

.reloc
Size: 19KB - Virtual size: 19KB