Analysis
-
max time kernel
42s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 20:07
Static task
static1
Behavioral task
behavioral1
Sample
build_v2.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
build_v2.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
build_v2.exe
-
Size
781KB
-
MD5
ca488b40ff017aa2e5edfb657195b19a
-
SHA1
8591740a747320a93eef73850a29a109cac17a26
-
SHA256
5e11767db92bef1591938a448d1d391202e6c8d8ddf0275dc8d72fd375b950db
-
SHA512
73e99e1da85da472e97b0184a71fbffc39b81dd9daffecd640443413976b147941b79f51b2cc7aa90da68b8ba5a39e5541437c41509ca9280082b5a400c441ca
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Drops startup file 1 IoCs
Processes:
build_v2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HANTA.exe build_v2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
build_v2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\hanta_ransom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HANTA.exe\"" build_v2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
build_v2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wall.jpg" build_v2.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4164 3680 WerFault.exe build_v2.exe -
Modifies Control Panel 2 IoCs
Processes:
build_v2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "1" build_v2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\TileWallpaper = "0" build_v2.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
build_v2.exeWerFault.exepid process 3680 build_v2.exe 3680 build_v2.exe 3680 build_v2.exe 3680 build_v2.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
build_v2.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3680 build_v2.exe Token: SeRestorePrivilege 4164 WerFault.exe Token: SeBackupPrivilege 4164 WerFault.exe Token: SeDebugPrivilege 4164 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build_v2.exe"C:\Users\Admin\AppData\Local\Temp\build_v2.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 74362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3680-114-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/3680-116-0x0000000001510000-0x0000000001511000-memory.dmpFilesize
4KB
-
memory/3680-117-0x00000000055C0000-0x0000000005675000-memory.dmpFilesize
724KB
-
memory/3680-118-0x0000000001520000-0x0000000001521000-memory.dmpFilesize
4KB
-
memory/3680-119-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB