57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64

General

Target

57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
Size

208KB
MD5

9d13099934aa78e29176707abf8257d0
SHA1

ba6b1df82ae5b7ca13a6c4f1bcdc3ea253cbd363
SHA256

57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64
SHA512

11cee32a0393e1830b15c430fa032d62f4b35becd6514bfa6a992133dee9b746c30c81068197e527962e7f9acf10750384b3507f8c648c4a1cee7c9ae5d0c1af
SSDEEP

3072:0Tgnx1vQQyrT0yDlRFnhXNc5xzWYSnnGauuW6KPoK1xwC5Yf4NLthEjQT6c:91vRyrT0AlRFI5xzWDY6sxwCGfQEj+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	HZTTHM.exe

Loads dropped DLL 2 IoCs

pid	Process
1496	cmd.exe
1496	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\HZTTHM.exe	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
File opened for modification	C:\windows\system\HZTTHM.exe	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
File created	C:\windows\system\HZTTHM.exe.bat	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HZTTHM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
2484	HZTTHM.exe
2484	HZTTHM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
2484	HZTTHM.exe
2484	HZTTHM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1496	2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe	30
PID 2456 wrote to memory of 1496	2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe	30
PID 2456 wrote to memory of 1496	2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe	30
PID 2456 wrote to memory of 1496	2456	57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe	30
PID 1496 wrote to memory of 2484	1496	cmd.exe	32
PID 1496 wrote to memory of 2484	1496	cmd.exe	32
PID 1496 wrote to memory of 2484	1496	cmd.exe	32
PID 1496 wrote to memory of 2484	1496	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe
"C:\Users\Admin\AppData\Local\Temp\57469a07f8470a0c04dbc1ccbe045e10a9ac26c859d09efb442ef42206fb3f64N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\HZTTHM.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\windows\system\HZTTHM.exe
    C:\windows\system\HZTTHM.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HZTTHM.exe.bat

Filesize
72B

MD5
34c110af6052ae7d639f5dde87548f7e

SHA1
d00ab224dce0b599304e7b19c3d19cd4c914a881

SHA256
7aac1fefe3adb9fee63d538a0a31bba9de637b28a7a5a24a23e1741cb09da6b5

SHA512
8766eedfd381db92f4a9360fc11189c59e4ae3d4b7e35d00a90fbea5819f49970a51952976e784de629409ff93fbcf87140fd9b74ea339146e090533be80b43d

Download Submit
\Windows\system\HZTTHM.exe

Filesize
208KB

MD5
bd1af6bd981c6530c119ccf67aa80b62

SHA1
f064ceb68dc2c0dd48bcee6d359029123cb720d9

SHA256
6480a40fd314f8fb25878006715a84cfe10c2a4a5f64d0265ae7dafcc4943f5b

SHA512
2fd8371a06398d9b85f162990455bd3a7312b55f3cc7bf24eb99b7278432f87e4babb7fa89362dd3d7bc1ebf0b3a25e2fe2ecdfb8003d633c7cb14e60e48fba8

Download Submit
memory/1496-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1496-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2456-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2456-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2484-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2484-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing