d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e

General

Target

d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
Size

372KB
MD5

47b179f387ffd4a63dbc7c4ba9abd3bb
SHA1

5b1f786079d20b4d3af833fe57a63fb7446f4c6e
SHA256

d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e
SHA512

ae648e6cc9545a1390aca86c05bd247b1b21d8565f7ea4c5ea385c8727518c368f4a880a3566ce277bf4e84b682a6e7502cb58fc9bf36689d44e1b7d8552b224
SSDEEP

6144:t8dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiWO:t2qQx+H2i+8LBNbdypazCXYw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
904	hab.exe
2216	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
904	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 1724	2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	30
PID 904 set thread context of 2216	904	hab.exe	32

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
File opened for modification	C:\Windows\win.ini	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
904	hab.exe
904	hab.exe
2216	hab.exe
2216	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
904	hab.exe
904	hab.exe
2216	hab.exe
2216	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
904	hab.exe
2216	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1724	2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	30
PID 2412 wrote to memory of 1724	2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	30
PID 2412 wrote to memory of 1724	2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	30
PID 2412 wrote to memory of 1724	2412	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	30
PID 1724 wrote to memory of 904	1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	31
PID 1724 wrote to memory of 904	1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	31
PID 1724 wrote to memory of 904	1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	31
PID 1724 wrote to memory of 904	1724	d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe	31
PID 904 wrote to memory of 2216	904	hab.exe	32
PID 904 wrote to memory of 2216	904	hab.exe	32
PID 904 wrote to memory of 2216	904	hab.exe	32
PID 904 wrote to memory of 2216	904	hab.exe	32

C:\Users\Admin\AppData\Local\Temp\d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
"C:\Users\Admin\AppData\Local\Temp\d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe
  "C:\Users\Admin\AppData\Local\Temp\d7c4dc87e9f307277b701a7e748be1509f912d8b94505cf8c1f2d9ab25525f7e.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
6a632a13dff6694e0fc57a24a9b5883d

SHA1
2ac4124cf2fcd3383c4fee49f5dd03151df9df02

SHA256
c788cb72d89bdf452a2042626ee332ba77478996d56aefa0525bdb8554d13127

SHA512
9cdcbe789050a64f9b822d07770cea0e4faf9c2f56826fa7bae0eaa570d9f7b20c6924599abee9cd888587f79a01e2e4872bb7d1a0b42b2da33a536a7b9bff48

Download Submit
memory/1724-14-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2412-2-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2412-5-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2412-4-0x0000000076F11000-0x0000000077012000-memory.dmp

Filesize
1.0MB

Download
memory/2412-13-0x0000000077100000-0x00000000771D6000-memory.dmp

Filesize
856KB

Download
memory/2412-12-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing