Overview

overview

10

Static

static

HEUR-Troja...21.exe

windows7-x64

10

HEUR-Troja...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.MSIL.Agent.gen-2756b78e9d72257067b63018ed3de4524812c60c72211288698ec78dcfc08921.exe

  • Size

    780KB

  • MD5

    712e164996f8a491ca08dd3eb4b5b16a

  • SHA1

    07fbb42d5168e3ce7f0aedb437e0a1cbca59ea5d

  • SHA256

    2756b78e9d72257067b63018ed3de4524812c60c72211288698ec78dcfc08921

  • SHA512

    5ba44f6528907c94c0fb650dbdc0bfe7923e096961f05865f7a4ffab523d2c3e7d1bed095b69ce02cad5e830b7a5f4dccfd2e7a00ff291556259dd884023f078

  • SSDEEP

    12288:N8St0dbGh7Qzq95i05ymO63rcBaIiICzVcZLMAdGFRaTdlIG3pct1v1Ru9IZRtI:N8S6wNQm9hdoYVIChchnGahutXRjhI

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\how_to_recover.html

Ransom Note
<!doctype html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Back your files</title> <style> body{ margin: 0; padding: 0; background-color: black; } .header{ width: 100%; background-color: #1a1a1a; border-bottom: 1px solid; border-color: #b50000; position: sticky; top: 0; margin: 0; color: #f1f1f1; display: flex; justify-content: center; align-items: center; box-shadow: inset 0px 0px 20px 10px rgba(0,0,0, 0.7); } .header-text{ font-weight: bold; font-size: 30px; color: red; text-align: center; margin-left: 10px; margin-right: 10px; text-shadow: 5px 6px 7px #000; } .container{ max-width: 800px; margin: 0 auto; display: flex; justify-content: center; align-items: center; } .content-item h2 { color: #f1f1f1; text-shadow: 5px 6px 7px #000; } .content-item{ padding: 10px; padding-top: 5px; margin: 10px; border-bottom: 1px solid; border-color: #b50000; padding-bottom: 10px; background-color: #1a1a1a; color: #eee; border-radius: 10px; } .notice{ text-align: center; color: #f1f1f1; font-weight: bold; } </style> </head> <body> <div class="header"> <div class="container"> <p class="header-text"> HANTA VIRUS </p> </div> </div> <div class="content"> <div class="content-item"> <h2>WHAT HAPPENED WITH MY COMPUTER?</h2> All Files on your system has been encrypted with HANTA Virus.<br/> Nobody will be able to decrypt ANY of your files without our decryption service. Dont waste your time. </div> <div class="content-item"> <h2>CAN I RECOVER MY FILES?</h2> You will be able to recover your files only after you send amount$ in BTC to this BTC wallet:<br/> <p style="font-weight: bold;">1HYpnNyAERfmC5bnueGs7E3qDgMAxRiLGC</p> or contact with us by email: hanta@420blaze.it<br/> Your system indetification: 4cfb5922-b036-4c14-9ed1-03c0dad19fbd <br/> </div> <div class="content-item"> <h2>Your personal key:</h2> <p style="font-weight: bold;">-----BEGIN PUBLIC KEY-----</p> <RSAKeyValue><Modulu s>u4Z/yl2ImF9uQnMlaK 8b9DuAdxpOP5WlIT3yqm Monuk+vuJUIYHP9mZfgY poVxusQX/TpQQl7x5Tzq /UZeOOcoW8NdTVoZmQqU /3nS37PGm0qNyYSLrbDt Ac0t0dwDvLDjTDWMhcCp ME7O1X4ua/2ZtLjo8cW8 4yWrFoa4DqCDUgvLDgg+ OCm1s/j+8E/4eAQmkx7O Szt6UvxHBH7LyH3qHp9n fZzAIQHG1g2txckprkah MasSInNsYDC26LLvQrbv zydL7YwMZafawR5fy7/B VBDbS6ShGtXZr6YjjDqi regdYpyh24MDeUAKiE+Q z/VsgxEgJvq6QgIqDFI3 KQlQ==</Modulus><Exp onent>AQAB</Exponent ></RSAKeyValue> <p style="font-weight: bold;">-----END PUBLIC KEY-----</p> </div> <p class="notice">Any antivirus sortware can corrupt files, if you want save back your files, turn off antivirus, it can delete our application</p> </div> </body> </html>
Emails

hanta@420blaze.it<br/>

URLs

http-equiv="X-UA-Compatible"

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Program crash 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-2756b78e9d72257067b63018ed3de4524812c60c72211288698ec78dcfc08921.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-2756b78e9d72257067b63018ed3de4524812c60c72211288698ec78dcfc08921.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 4016
      2⤵
      • Program crash
      PID:5920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4328 -ip 4328
    1⤵
      PID:5856

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4328-133-0x0000000000FD0000-0x000000000109C000-memory.dmp
      Filesize

      816KB

      Download