Analysis
-
max time kernel
1s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:40
Static task
static1
Behavioral task
behavioral1
Sample
074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
Resource
win10v2004-20250314-en
General
-
Target
074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe
-
Size
372KB
-
MD5
58b02284e4a26bbd397e607af3a977bf
-
SHA1
3573ef3cedfb98b9c980ef2abe5e1c24f6bf7837
-
SHA256
074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da
-
SHA512
b4ce81164d5457ed5b9fee760bafba2ac382f06b4efaecbc6dbfd2fafad780401ed4a8a2b88e676a3229aa6cdfda2751db4b93b190eb0685e6ebf96da87c0e24
-
SSDEEP
6144:tFdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiy+:tnqQx+H2i+8LBNbdypazCXYc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2632 hab.exe 1448 hab.exe -
Loads dropped DLL 3 IoCs
pid Process 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2632 hab.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2960 set thread context of 2272 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 28 PID 2632 set thread context of 1448 2632 hab.exe 30 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe File opened for modification C:\Windows\win.ini 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe File opened for modification C:\Windows\win.ini hab.exe File opened for modification C:\Windows\win.ini hab.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hab.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2632 hab.exe 2632 hab.exe 1448 hab.exe 1448 hab.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2632 hab.exe 2632 hab.exe 1448 hab.exe 1448 hab.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 2632 hab.exe 1448 hab.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2272 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 28 PID 2960 wrote to memory of 2272 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 28 PID 2960 wrote to memory of 2272 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 28 PID 2960 wrote to memory of 2272 2960 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 28 PID 2272 wrote to memory of 2632 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 29 PID 2272 wrote to memory of 2632 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 29 PID 2272 wrote to memory of 2632 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 29 PID 2272 wrote to memory of 2632 2272 074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe 29 PID 2632 wrote to memory of 1448 2632 hab.exe 30 PID 2632 wrote to memory of 1448 2632 hab.exe 30 PID 2632 wrote to memory of 1448 2632 hab.exe 30 PID 2632 wrote to memory of 1448 2632 hab.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe"C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe"C:\Users\Admin\AppData\Local\Temp\074657bfa64655c09b1c9da889242222fa965fbc3295de7de7c04378f9bdb8da.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\hab.exe"C:\Users\Admin\AppData\Local\Temp\hab.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1448
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5cabfcf93820fa46724f3a953b3b476e7
SHA1318bf7074cc1dd4a98f22c46393aacbc802e47ed
SHA25691623c1d6ca7d812346058fe3c9fc93e9ce0654c951c14c6d1bebf1f70697585
SHA512a22490f04b3163ec84ab3a79de68c4cfea647864377ccc5c247a0531eeefdd7f9730b5a26ce38029c68d6e292735a67791d66c47121ba18c0fb636adba444486
-
Filesize
509B
MD5d2a2412bddba16d60ec63bd9550d933f
SHA1deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA25679ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
SHA5128fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31