5e11767db92bef1591938a448d1d391202e6c8d8ddf0275dc8d72fd375b950db

General

Target

build_v2.exe
Size

781KB
MD5

ca488b40ff017aa2e5edfb657195b19a
SHA1

8591740a747320a93eef73850a29a109cac17a26
SHA256

5e11767db92bef1591938a448d1d391202e6c8d8ddf0275dc8d72fd375b950db
SHA512

73e99e1da85da472e97b0184a71fbffc39b81dd9daffecd640443413976b147941b79f51b2cc7aa90da68b8ba5a39e5541437c41509ca9280082b5a400c441ca

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Drops startup file 1 IoCs

Processes:

build_v2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HANTA.exe build_v2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HANTA.exe	build_v2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

build_v2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\hanta_ransom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HANTA.exe\""	build_v2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

build_v2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wall.jpg"	build_v2.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4164 3680 WerFault.exe build_v2.exe

pid	pid_target	process	target process
4164	3680	WerFault.exe	build_v2.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

build_v2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "1"	build_v2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\TileWallpaper = "0"	build_v2.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

build_v2.exeWerFault.exe

pid	process
3680	build_v2.exe
3680	build_v2.exe
3680	build_v2.exe
3680	build_v2.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe
4164	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

build_v2.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3680	build_v2.exe
Token: SeRestorePrivilege	4164	WerFault.exe
Token: SeBackupPrivilege	4164	WerFault.exe
Token: SeDebugPrivilege	4164	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\build_v2.exe
"C:\Users\Admin\AppData\Local\Temp\build_v2.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 7436
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3680-114-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3680-116-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/3680-117-0x00000000055C0000-0x0000000005675000-memory.dmp

Filesize
724KB

Download
memory/3680-118-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/3680-119-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads