Overview

overview

10

Static

static

hbatka.exe

windows7_x64

3

hbatka.exe

windows10-2004_x64

10

Resubmissions

03/02/2022, 13:19

220203-qkn47ahgap 8

01/02/2022, 11:22

220201-ngzemsdehk 10

05/01/2022, 09:55

220105-lxw84sabh4 10

Analysis

  • max time kernel
    123s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01/02/2022, 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hbatka.exe

  • Size

    75KB

  • MD5

    a765dbcbac57a712e2eb748fe6fd5e7c

  • SHA1

    59c51f9d5f699b6aa6b3e37fcd93da87ce79d815

  • SHA256

    7e6cd2bf820d81c9389c549cfe482bcdb1b57c5f39d53b63cd1efb79699e7ae6

  • SHA512

    9ab1aa09e965014b56aadeddbe38b44de343942857431b6490a53b143b9232f6da3415d6245ee774a35538196ad000c66fdc673db98fb84bd7615af04a7e1a8c

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hbatka.exe
    "C:\Users\Admin\AppData\Local\Temp\hbatka.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1236
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-60-0x0000000002300000-0x0000000002F4A000-memory.dmp

    Filesize

    12.3MB

    Download

  • memory/1016-62-0x0000000000720000-0x0000000000780000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1256-54-0x00000000002C0000-0x00000000002D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1256-55-0x0000000076C61000-0x0000000076C63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1256-56-0x0000000004C00000-0x0000000004C01000-memory.dmp

    Filesize

    4KB

    Download