Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
hanta_2_0.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hanta_2_0.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
hanta_2_0.exe
-
Size
780KB
-
MD5
d33013cb6b28255069fcfea0575f49e9
-
SHA1
fd4a4a0ad4e15d2c6a0d9b8bbe7dcde95bada378
-
SHA256
5178fb0c885be51a83a0c53f56e86564548e65080913940eac96d9562270c299
-
SHA512
63aca05c9dcfd89219da86cccd196b15cc6afdc22f64dde189fcea95d8c116fd0194d930568760e39899ee2a4b3893b3868a5df563e2573f7840c2531d416d63
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Drops startup file 1 IoCs
Processes:
hanta_2_0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HANTA.exe hanta_2_0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hanta_2_0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\hanta_ransom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HANTA.exe\"" hanta_2_0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
hanta_2_0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wall.jpg" hanta_2_0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3404 980 WerFault.exe hanta_2_0.exe -
Modifies Control Panel 2 IoCs
Processes:
hanta_2_0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "1" hanta_2_0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\TileWallpaper = "0" hanta_2_0.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
hanta_2_0.exeWerFault.exepid process 980 hanta_2_0.exe 980 hanta_2_0.exe 980 hanta_2_0.exe 980 hanta_2_0.exe 3404 WerFault.exe 3404 WerFault.exe 3404 WerFault.exe 3404 WerFault.exe 3404 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hanta_2_0.exeWerFault.exedescription pid process Token: SeDebugPrivilege 980 hanta_2_0.exe Token: SeDebugPrivilege 3404 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
hanta_2_0.exedescription pid process target process PID 980 wrote to memory of 3404 980 hanta_2_0.exe WerFault.exe PID 980 wrote to memory of 3404 980 hanta_2_0.exe WerFault.exe PID 980 wrote to memory of 3404 980 hanta_2_0.exe WerFault.exe PID 980 wrote to memory of 3404 980 hanta_2_0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hanta_2_0.exe"C:\Users\Admin\AppData\Local\Temp\hanta_2_0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 95122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-60-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/980-62-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/980-63-0x00000000005E0000-0x0000000000695000-memory.dmpFilesize
724KB
-
memory/980-64-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/980-65-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/3404-66-0x0000000000000000-mapping.dmp
-
memory/3404-67-0x0000000001B60000-0x0000000001B61000-memory.dmpFilesize
4KB