3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a

General

Target

3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
Size

372KB
MD5

0e51ba9445f6978daad3465cd383b3c7
SHA1

da42572d8384c67e0bd67ec37430b9ca77040e93
SHA256

3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a
SHA512

38d5cd0bed279a49a60a1deb282f181d3ac8f67afb4af15358b6648c8a47cde3430b7bdd3be500703a2054be60ab2ad0bb2a1771bd36d59eccec81f14d179db5
SSDEEP

6144:tZdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiiO:t7qQx+H2i+8LBNbdypazCXY0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2892	hab.exe
2880	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
2892	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 3016	2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	30
PID 2892 set thread context of 2880	2892	hab.exe	32

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
File opened for modification	C:\Windows\win.ini	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
File opened for modification	C:\Windows\win.ini	hab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
2892	hab.exe
2892	hab.exe
2880	hab.exe
2880	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
2892	hab.exe
2892	hab.exe
2880	hab.exe
2880	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
2892	hab.exe
2880	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3016	2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	30
PID 2440 wrote to memory of 3016	2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	30
PID 2440 wrote to memory of 3016	2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	30
PID 2440 wrote to memory of 3016	2440	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	30
PID 3016 wrote to memory of 2892	3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	31
PID 3016 wrote to memory of 2892	3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	31
PID 3016 wrote to memory of 2892	3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	31
PID 3016 wrote to memory of 2892	3016	3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe	31
PID 2892 wrote to memory of 2880	2892	hab.exe	32
PID 2892 wrote to memory of 2880	2892	hab.exe	32
PID 2892 wrote to memory of 2880	2892	hab.exe	32
PID 2892 wrote to memory of 2880	2892	hab.exe	32

C:\Users\Admin\AppData\Local\Temp\3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
"C:\Users\Admin\AppData\Local\Temp\3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe
  "C:\Users\Admin\AppData\Local\Temp\3b42b77b0bca33235ea576f37dc3cabd7a2b2bd501089380ffa15098293eab8a.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
9afec1c9d3bce1d8f7c43023e08da18a

SHA1
26e3715ee4c2cc2784888a26acd621e63523a4be

SHA256
e878ab379e756346e131a20873f25a2142413ee97adcda8d15a05da2a02e1be6

SHA512
6e55a8b902cda2579e774ec30b616adf281d537b2d614225d756055c820ea52c4c1cc0fa389a2f20f9967279cce478dd26642dcdb7b71c6e6c813ee1cf7b5958

Download Submit
memory/2440-2-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2440-5-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2440-4-0x0000000077201000-0x0000000077302000-memory.dmp

Filesize
1.0MB

Download
memory/2440-13-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2440-12-0x00000000773F0000-0x00000000774C6000-memory.dmp

Filesize
856KB

Download
memory/3016-14-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing