e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18

General

Target

e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
Size

372KB
MD5

ba6a319b5bc264f6a0359bd679122b42
SHA1

67f9a0e414ea18e0aaac806ff3bf82fec16b09d9
SHA256

e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18
SHA512

0cd38c22c733e145f2556590d4a3938bf5550e28d99847f27f61dc5eb031905842e4f95914b61a9aa4c15de63876ccf32be276426a59337e42c2f79539aac624
SSDEEP

6144:tBdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhi2:tTqQx+H2i+8LBNbdypazCXY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	hab.exe
2212	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2640	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2476	2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	31
PID 2640 set thread context of 2212	2640	hab.exe	33

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
File opened for modification	C:\Windows\win.ini	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2640	hab.exe
2640	hab.exe
2212	hab.exe
2212	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2640	hab.exe
2640	hab.exe
2212	hab.exe
2212	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
2640	hab.exe
2212	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2476	2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	31
PID 2096 wrote to memory of 2476	2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	31
PID 2096 wrote to memory of 2476	2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	31
PID 2096 wrote to memory of 2476	2096	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	31
PID 2476 wrote to memory of 2640	2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	32
PID 2476 wrote to memory of 2640	2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	32
PID 2476 wrote to memory of 2640	2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	32
PID 2476 wrote to memory of 2640	2476	e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe	32
PID 2640 wrote to memory of 2212	2640	hab.exe	33
PID 2640 wrote to memory of 2212	2640	hab.exe	33
PID 2640 wrote to memory of 2212	2640	hab.exe	33
PID 2640 wrote to memory of 2212	2640	hab.exe	33

C:\Users\Admin\AppData\Local\Temp\e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
"C:\Users\Admin\AppData\Local\Temp\e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe
  "C:\Users\Admin\AppData\Local\Temp\e5b84db39171a7ef29668164307a7571195af72143b80110c47fe5d059367f18.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
111e3c392aa8a9a5f8075a790f56f3f7

SHA1
c19f29752a60f67af4110f58104f1d5c8fd5a24e

SHA256
6fa313be3db79b4432094ddcec959a254d56d00071cb450e8930d40760e250fb

SHA512
229925920229a18d510c8bdbdfdb4cbef75a2351e148c1f3e555d2cc67db30f931f1961c32caa9ac7e8fde7df951567a91f9948163507d254ba7f8cced61cd27

Download Submit
memory/2096-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2096-4-0x0000000077241000-0x0000000077342000-memory.dmp

Filesize
1.0MB

Download
memory/2096-5-0x0000000077240000-0x00000000773E9000-memory.dmp

Filesize
1.7MB

Download
memory/2096-13-0x0000000077430000-0x0000000077506000-memory.dmp

Filesize
856KB

Download
memory/2096-12-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2476-15-0x0000000077240000-0x00000000773E9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing