074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da

General

Target

074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
Size

372KB
MD5

58b02284e4a26bbd397e607af3a977bf
SHA1

3573ef3cedfb98b9c980ef2abe5e1c24f6bf7837
SHA256

074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da
SHA512

b4ce81164d5457ed5b9fee760bafba2ac382f06b4efaecbc6dbfd2fafad780401ed4a8a2b88e676a3229aa6cdfda2751db4b93b190eb0685e6ebf96da87c0e24
SSDEEP

6144:tFdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiy+:tnqQx+H2i+8LBNbdypazCXYc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2632	hab.exe
1448	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2632	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 2272	2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	28
PID 2632 set thread context of 1448	2632	hab.exe	30

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
File opened for modification	C:\Windows\win.ini	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2632	hab.exe
2632	hab.exe
1448	hab.exe
1448	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2632	hab.exe
2632	hab.exe
1448	hab.exe
1448	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
2632	hab.exe
1448	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2272	2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	28
PID 2960 wrote to memory of 2272	2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	28
PID 2960 wrote to memory of 2272	2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	28
PID 2960 wrote to memory of 2272	2960	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	28
PID 2272 wrote to memory of 2632	2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	29
PID 2272 wrote to memory of 2632	2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	29
PID 2272 wrote to memory of 2632	2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	29
PID 2272 wrote to memory of 2632	2272	074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe	29
PID 2632 wrote to memory of 1448	2632	hab.exe	30
PID 2632 wrote to memory of 1448	2632	hab.exe	30
PID 2632 wrote to memory of 1448	2632	hab.exe	30
PID 2632 wrote to memory of 1448	2632	hab.exe	30

C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
"C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
  "C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
cabfcf93820fa46724f3a953b3b476e7

SHA1
318bf7074cc1dd4a98f22c46393aacbc802e47ed

SHA256
91623c1d6ca7d812346058fe3c9fc93e9ce0654c951c14c6d1bebf1f70697585

SHA512
a22490f04b3163ec84ab3a79de68c4cfea647864377ccc5c247a0531eeefdd7f9730b5a26ce38029c68d6e292735a67791d66c47121ba18c0fb636adba444486

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/2272-15-0x0000000076FC0000-0x0000000077169000-memory.dmp

Filesize
1.7MB

Download
memory/2960-2-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2960-4-0x0000000076FC1000-0x00000000770C2000-memory.dmp

Filesize
1.0MB

Download
memory/2960-5-0x0000000076FC0000-0x0000000077169000-memory.dmp

Filesize
1.7MB

Download
memory/2960-12-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2960-13-0x00000000771B0000-0x0000000077286000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing