Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
15-03-2024 21:38
General
-
Target
ransomwares/Huzuni/Huzuni.exe
-
Size
65KB
-
MD5
e988915eb5706f5eeea7b684eec41a85
-
SHA1
05d11b2d393e68af9200fd23eee1ccc0f5850289
-
SHA256
06b8827fc8494e0e7b284a8dcb704e38169347fb857e4114813a2b8db206ec2c
-
SHA512
2b8a784fb2333c1b2313eb557dd0bc551403ff0ce9be5422241e5274ae2028487f1a4386fb098cb93bcb633cdefedc8bade80501ac919248455d53c974ab3e22
-
SSDEEP
1536:rmFEdOkJa9HLSQyzboPGRyfbYPstUKEMzL0HPV1vsHTV1:zwpi/5yFuKEM30HP7vsHT7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe"C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Huzuni.exe"C:\Huzuni.exe"2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /takeown /f C:\Windows\System32\Taskmgr.exe && icacls C:\Windows\System32\Taskmgr.exe /grant %username%:F && del C:\Windows\System32\Taskmgr.exe && exit3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\window.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin Delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5ea9c5fca65378fe641a1b708187a582f
SHA1c7dba2587ffd02071fe12fdec646d70cf86d7f9e
SHA2560ce2f58a1b2c0d87c054ef212914d84ffeac59243b4a8a3a9c615c876638d87d
SHA5121006b532ad2df8532be3fe651d24908e0b83240bf5af4ef52ba6341d56eac93fc35d75ae499b0f473354e3fc100d629a22daae206e4d05124842135559ca64ec
-
Filesize
1KB
MD59dba906094ee0f15f38e0640e5923270
SHA10118a885480cd04c5a4310fd3d39251dd769a3a5
SHA2560e79efbeae919d458e637000c20e4e71ddb916903527c593248038a78358f57d
SHA512e6985edc821486ce4ef0f467f348734ccab4aa1bacf961c4168de4e881960954a2c2c503824c9cc9f639ad9fff2e2df79241a75bf84cae99028082bdceee28e9
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB