972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377

Analysis

max time kernel
0s
max time network
1s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe
Size

372KB
MD5

1a3f75090e940358a474761a9a730b63
SHA1

5b09d4ad7e002e51a5151118b7cecb2eec16c36d
SHA256

972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377
SHA512

68f8651f8b44fdf483f582d71eb0f8011190475dd84f52fa13ccad4c5f631d727a9eeeef36b38d3f6c194aca823e3a9fa7cce1c4f23b5837f501f47926ed56f0
SSDEEP

6144:tHdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiue:t9qQx+H2i+8LBNbdypazCXYI

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe

C:\Users\Admin\AppData\Local\Temp\972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe
"C:\Users\Admin\AppData\Local\Temp\972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788
- C:\Users\Admin\AppData\Local\Temp\972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe
  "C:\Users\Admin\AppData\Local\Temp\972af59b414ad2c048db81d3cccc144163a98208db6a020fa430271c7886f377.exe"
  2⤵
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
741e41dca0e72c64b11bd69d5a5b4013

SHA1
11fbe6ced7741ed6bdf081c3c98daf1107454442

SHA256
9c29c710fcc8600e076b4aed7fb4407f7afba557540b094aefba3f5631c8fe01

SHA512
e4603de3332c185079e2cc14b88b48fa519af5a8f576f313cb52ba7b6e93db9b9833266a4ad7358f3c7ef41c8e0a797e81294ad3faffa08747c52ee7a30ced5a

Download Submit
memory/1948-15-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2788-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2788-5-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2788-4-0x0000000077911000-0x0000000077A12000-memory.dmp

Filesize
1.0MB

Download
memory/2788-12-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2788-13-0x0000000077B00000-0x0000000077BD6000-memory.dmp

Filesize
856KB

Download