Analysis
-
max time kernel
122s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 14:14
Static task
static1
Behavioral task
behavioral1
Sample
333.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
333.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
333.exe
-
Size
780KB
-
MD5
d33013cb6b28255069fcfea0575f49e9
-
SHA1
fd4a4a0ad4e15d2c6a0d9b8bbe7dcde95bada378
-
SHA256
5178fb0c885be51a83a0c53f56e86564548e65080913940eac96d9562270c299
-
SHA512
63aca05c9dcfd89219da86cccd196b15cc6afdc22f64dde189fcea95d8c116fd0194d930568760e39899ee2a4b3893b3868a5df563e2573f7840c2531d416d63
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Drops startup file 1 IoCs
Processes:
333.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HANTA.exe 333.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
333.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\hanta_ransom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HANTA.exe\"" 333.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
333.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wall.jpg" 333.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3444 1652 WerFault.exe 333.exe -
Modifies Control Panel 2 IoCs
Processes:
333.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "1" 333.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\TileWallpaper = "0" 333.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
333.exeWerFault.exepid process 1652 333.exe 1652 333.exe 1652 333.exe 1652 333.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe 3444 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 3444 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
333.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1652 333.exe Token: SeDebugPrivilege 3444 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
333.exedescription pid process target process PID 1652 wrote to memory of 3444 1652 333.exe WerFault.exe PID 1652 wrote to memory of 3444 1652 333.exe WerFault.exe PID 1652 wrote to memory of 3444 1652 333.exe WerFault.exe PID 1652 wrote to memory of 3444 1652 333.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\333.exe"C:\Users\Admin\AppData\Local\Temp\333.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 95002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1652-60-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/1652-62-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/1652-63-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/1652-64-0x0000000007D40000-0x0000000007DF5000-memory.dmpFilesize
724KB
-
memory/1652-65-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/3444-66-0x0000000000000000-mapping.dmp
-
memory/3444-67-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB