6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83

General

Target

6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
Size

372KB
MD5

77f71596ddb1fa8498e660939e4ce909
SHA1

b649888561e4243ff55d086c3091a323a7f29ec6
SHA256

6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83
SHA512

cecfbb5faf3637967231959e4e941d136d2ee0c4d277758bee76d3f79ad88a2b55888ae06a4a0947b0fc7cc80c179332ff03ad1f31b49982132bb6c199fe0478
SSDEEP

6144:t5dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiee:tbqQx+H2i+8LBNbdypazCXYY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1696	hab.exe
2120	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1696	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 2944	1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	30
PID 1696 set thread context of 2120	1696	hab.exe	32

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
File opened for modification	C:\Windows\win.ini	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1696	hab.exe
1696	hab.exe
2120	hab.exe
2120	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1696	hab.exe
1696	hab.exe
2120	hab.exe
2120	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1696	hab.exe
2120	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2944	1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	30
PID 1584 wrote to memory of 2944	1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	30
PID 1584 wrote to memory of 2944	1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	30
PID 1584 wrote to memory of 2944	1584	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	30
PID 2944 wrote to memory of 1696	2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	31
PID 2944 wrote to memory of 1696	2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	31
PID 2944 wrote to memory of 1696	2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	31
PID 2944 wrote to memory of 1696	2944	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	31
PID 1696 wrote to memory of 2120	1696	hab.exe	32
PID 1696 wrote to memory of 2120	1696	hab.exe	32
PID 1696 wrote to memory of 2120	1696	hab.exe	32
PID 1696 wrote to memory of 2120	1696	hab.exe	32

C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
"C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
  "C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3333a3970229a06046faff40d2b1aed5

SHA1
55c92891d0ea74129ebab881d5dc8df83f1548be

SHA256
7d0e8172814f2e53c4d875eba3217423417f5c565bc9f8a58ec9da905f7a15ae

SHA512
09ac724435981c3b66993e701404da10117a93c1b06815cd728ec11563691dd359386488a73e652352e722cfafdbf7c61e9105c3846216ec6d7fe73880c6a793

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/1584-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1584-4-0x0000000077081000-0x0000000077182000-memory.dmp

Filesize
1.0MB

Download
memory/1584-5-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/1584-10-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2944-13-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing