ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372

General

Target

ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
Size

372KB
MD5

19937ad01f3fc2fe28941feb4c110ee8
SHA1

46376eb5c9f27d82a7a43d7eca08553b18d72e60
SHA256

ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372
SHA512

d547496f9f7e520f3b558fc0e918ebe1ee384084aa4d9c849c28fc097697017ce4753d1a1a2957d4f99511ab90415f9b0017931267cc82120aa46151355ba782
SSDEEP

6144:tqdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiKu:tAqQx+H2i+8LBNbdypazCXY8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2848	hab.exe
2596	hab.exe

Loads dropped DLL 3 IoCs

pid	Process
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2848	hab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 2420	1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	28
PID 2848 set thread context of 2596	2848	hab.exe	30

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
File opened for modification	C:\Windows\win.ini	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2848	hab.exe
2848	hab.exe
2596	hab.exe
2596	hab.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2848	hab.exe
2848	hab.exe
2596	hab.exe
2596	hab.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
2848	hab.exe
2596	hab.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2420	1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	28
PID 1284 wrote to memory of 2420	1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	28
PID 1284 wrote to memory of 2420	1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	28
PID 1284 wrote to memory of 2420	1284	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	28
PID 2420 wrote to memory of 2848	2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	29
PID 2420 wrote to memory of 2848	2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	29
PID 2420 wrote to memory of 2848	2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	29
PID 2420 wrote to memory of 2848	2420	ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe	29
PID 2848 wrote to memory of 2596	2848	hab.exe	30
PID 2848 wrote to memory of 2596	2848	hab.exe	30
PID 2848 wrote to memory of 2596	2848	hab.exe	30
PID 2848 wrote to memory of 2596	2848	hab.exe	30

C:\Users\Admin\AppData\Local\Temp\ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
"C:\Users\Admin\AppData\Local\Temp\ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe
  "C:\Users\Admin\AppData\Local\Temp\ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
93732398e9b962c5f394d34a8fefda32

SHA1
fb224bf669b8065b2d97e88e1c53228156512e1c

SHA256
c48d3ded92b7564998957430412fad611a84a422bbbb30b9323cc31dc2af12cf

SHA512
f220c3470933a8d7ef5191f1b28bbff831dc13bb0472716b3853c1941789b1499974f7999f6d983c14b9b39601306827a862629acab575baec5fd7467da6fe38

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/1284-2-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1284-4-0x0000000077101000-0x0000000077202000-memory.dmp

Filesize
1.0MB

Download
memory/1284-5-0x0000000077100000-0x00000000772A9000-memory.dmp

Filesize
1.7MB

Download
memory/1284-13-0x00000000772F0000-0x00000000773C6000-memory.dmp

Filesize
856KB

Download
memory/1284-12-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/2420-15-0x0000000077100000-0x00000000772A9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing