Overview

overview

8

Static

static

hbatka.exe

windows7_x64

3

hbatka.exe

windows10-2004_x64

8

Resubmissions

03/02/2022, 13:19

220203-qkn47ahgap 8

01/02/2022, 11:22

220201-ngzemsdehk 10

05/01/2022, 09:55

220105-lxw84sabh4 10

Analysis

  • max time kernel
    129s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    03/02/2022, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hbatka.exe

  • Size

    75KB

  • MD5

    a765dbcbac57a712e2eb748fe6fd5e7c

  • SHA1

    59c51f9d5f699b6aa6b3e37fcd93da87ce79d815

  • SHA256

    7e6cd2bf820d81c9389c549cfe482bcdb1b57c5f39d53b63cd1efb79699e7ae6

  • SHA512

    9ab1aa09e965014b56aadeddbe38b44de343942857431b6490a53b143b9232f6da3415d6245ee774a35538196ad000c66fdc673db98fb84bd7615af04a7e1a8c

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hbatka.exe
    "C:\Users\Admin\AppData\Local\Temp\hbatka.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1240
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1652

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1612-60-0x00000000022C0000-0x00000000025A0000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1612-61-0x00000000022C0000-0x00000000025A0000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1652-64-0x0000000000370000-0x0000000000388000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1996-54-0x0000000000B90000-0x0000000000BA8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1996-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1996-56-0x00000000007A0000-0x00000000007A1000-memory.dmp

    Filesize

    4KB

    Download