Overview

overview

10

Static

static

10

ransomware...3n.exe

windows7-x64

ransomware...3n.exe

windows10-2004-x64

ransomware...le.exe

windows7-x64

ransomware...le.exe

windows10-2004-x64

ransomware...it.exe

windows7-x64

10

ransomware...it.exe

windows10-2004-x64

10

ransomware...le.exe

windows10-2004-x64

10

ransomware... 5.exe

windows7-x64

10

ransomware... 5.exe

windows10-2004-x64

10

ransomware...de.exe

windows7-x64

10

ransomware...de.exe

windows10-2004-x64

10

ransomware...ck.exe

windows7-x64

7

ransomware...ck.exe

windows10-2004-x64

7

ransomware...ye.exe

windows7-x64

6

ransomware...ye.exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

6

ransomware...ap.exe

windows10-2004-x64

6

ransomware...ya.exe

windows7-x64

1

ransomware...ya.exe

windows10-2004-x64

3

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/Huzuni/Huzuni.exe

  • Size

    65KB

  • MD5

    e988915eb5706f5eeea7b684eec41a85

  • SHA1

    05d11b2d393e68af9200fd23eee1ccc0f5850289

  • SHA256

    06b8827fc8494e0e7b284a8dcb704e38169347fb857e4114813a2b8db206ec2c

  • SHA512

    2b8a784fb2333c1b2313eb557dd0bc551403ff0ce9be5422241e5274ae2028487f1a4386fb098cb93bcb633cdefedc8bade80501ac919248455d53c974ab3e22

  • SSDEEP

    1536:rmFEdOkJa9HLSQyzboPGRyfbYPstUKEMzL0HPV1vsHTV1:zwpi/5yFuKEM30HP7vsHT7

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Huzuni.exe
      "C:\Huzuni.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /takeown /f C:\Windows\System32\Taskmgr.exe && icacls C:\Windows\System32\Taskmgr.exe /grant %username%:F && del C:\Windows\System32\Taskmgr.exe && exit
        3⤵
          PID:2744
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\window.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2012
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
          3⤵
          • Interacts with shadow copies
          PID:1452
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
          3⤵
          • Interacts with shadow copies
          PID:2112
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=d: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1056
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=d: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:344
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=e: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1692
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=e: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1624
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=f: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1168
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=f: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1160
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=g: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2088
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=g: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2188
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=h: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:580
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=h: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1736
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2380
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Huzuni.exe
      Filesize

      52KB

      MD5

      ea9c5fca65378fe641a1b708187a582f

      SHA1

      c7dba2587ffd02071fe12fdec646d70cf86d7f9e

      SHA256

      0ce2f58a1b2c0d87c054ef212914d84ffeac59243b4a8a3a9c615c876638d87d

      SHA512

      1006b532ad2df8532be3fe651d24908e0b83240bf5af4ef52ba6341d56eac93fc35d75ae499b0f473354e3fc100d629a22daae206e4d05124842135559ca64ec

      Download Submit

    • C:\Users\Admin\Pictures\BackupExpand.jpeg
      Filesize

      780KB

      MD5

      d1f50c10e8e47e90e67c4434e68a805c

      SHA1

      14fbb9b4e6b08057495389037cea028c165a572e

      SHA256

      78ee1f6326c19ec2c663ba983a967b3bc643856ae9623c36194c1afcb072abd1

      SHA512

      fafcfaa01cd6919e2b3cba02a2ca5e16f4bb07d9f7433f544420853b8cab703489f00aab604c5015ef38fa63769e16c4b0e8f224b351ae4c392d4fdc075ba56c

      Download Submit

    • C:\window.bat
      Filesize

      1KB

      MD5

      9dba906094ee0f15f38e0640e5923270

      SHA1

      0118a885480cd04c5a4310fd3d39251dd769a3a5

      SHA256

      0e79efbeae919d458e637000c20e4e71ddb916903527c593248038a78358f57d

      SHA512

      e6985edc821486ce4ef0f467f348734ccab4aa1bacf961c4168de4e881960954a2c2c503824c9cc9f639ad9fff2e2df79241a75bf84cae99028082bdceee28e9

      Download Submit

    • memory/2524-104-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-106-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-117-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-17-0x0000000000240000-0x0000000000246000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2524-116-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-19-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2524-21-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-22-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-23-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-114-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-113-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-10-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2524-107-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-108-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2524-109-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-110-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-111-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2524-112-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2700-1-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2700-0-0x0000000000A30000-0x0000000000A46000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2700-20-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2700-2-0x000000001B190000-0x000000001B210000-memory.dmp

      Filesize

      512KB

      Download