Overview

overview

10

Static

static

10

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

4

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

ransomware...en.exe

windows10-2004-x64

8

ransomware...ky.exe

windows7-x64

1

ransomware...ky.exe

windows10-2004-x64

1

ransomware...ha.exe

windows7-x64

6

ransomware...ha.exe

windows10-2004-x64

6

ransomware...V2.exe

windows7-x64

6

ransomware...V2.exe

windows10-2004-x64

6

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

10

ransomware...ya.exe

windows10-2004-x64

10

ransomware...d).exe

windows7-x64

6

ransomware...d).exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

1

ransomware...ap.exe

windows10-2004-x64

1

ransomware....A.exe

windows7-x64

6

ransomware....A.exe

windows10-2004-x64

6

ransomware...er.exe

windows7-x64

6

ransomware...er.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2024 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/Huzuni/Huzuni.exe

  • Size

    65KB

  • MD5

    e988915eb5706f5eeea7b684eec41a85

  • SHA1

    05d11b2d393e68af9200fd23eee1ccc0f5850289

  • SHA256

    06b8827fc8494e0e7b284a8dcb704e38169347fb857e4114813a2b8db206ec2c

  • SHA512

    2b8a784fb2333c1b2313eb557dd0bc551403ff0ce9be5422241e5274ae2028487f1a4386fb098cb93bcb633cdefedc8bade80501ac919248455d53c974ab3e22

  • SSDEEP

    1536:rmFEdOkJa9HLSQyzboPGRyfbYPstUKEMzL0HPV1vsHTV1:zwpi/5yFuKEM30HP7vsHT7

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Huzuni.exe
      "C:\Huzuni.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /takeown /f C:\Windows\System32\Taskmgr.exe && icacls C:\Windows\System32\Taskmgr.exe /grant %username%:F && del C:\Windows\System32\Taskmgr.exe && exit
        3⤵
          PID:4608
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\window.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1732
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
          3⤵
          • Interacts with shadow copies
          PID:400
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
          3⤵
          • Interacts with shadow copies
          PID:4844
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=d: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1700
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=d: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:4856
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=e: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1632
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=e: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3728
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=f: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3568
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=f: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:4224
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=g: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3768
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=g: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:412
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=h: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2408
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=h: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1820
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:592
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Huzuni.exe
      Filesize

      52KB

      MD5

      ea9c5fca65378fe641a1b708187a582f

      SHA1

      c7dba2587ffd02071fe12fdec646d70cf86d7f9e

      SHA256

      0ce2f58a1b2c0d87c054ef212914d84ffeac59243b4a8a3a9c615c876638d87d

      SHA512

      1006b532ad2df8532be3fe651d24908e0b83240bf5af4ef52ba6341d56eac93fc35d75ae499b0f473354e3fc100d629a22daae206e4d05124842135559ca64ec

      Download Submit

    • C:\Users\Admin\Downloads\BackupSplit.mpv2
      Filesize

      392KB

      MD5

      d3825d85ecff793377595fa7b1097fbe

      SHA1

      58cd6e8906c1af363972e07198eb65cb200073ae

      SHA256

      67d977d0676ba8df787f3d1ab612e7268d6c0684d5c3272b2b3ce86054d47128

      SHA512

      97c5a318f8cd67f226bfc4686c4ee1d93b81bcd1b5283401aa9dc5ed3d17c348bfb0b863e6e6f1d4e7ba64243ed5afb4ceb91753670aa933e048f1ed20f909d5

      Download Submit

    • C:\window.bat
      Filesize

      1KB

      MD5

      9dba906094ee0f15f38e0640e5923270

      SHA1

      0118a885480cd04c5a4310fd3d39251dd769a3a5

      SHA256

      0e79efbeae919d458e637000c20e4e71ddb916903527c593248038a78358f57d

      SHA512

      e6985edc821486ce4ef0f467f348734ccab4aa1bacf961c4168de4e881960954a2c2c503824c9cc9f639ad9fff2e2df79241a75bf84cae99028082bdceee28e9

      Download Submit

    • memory/1048-0-0x0000000000420000-0x0000000000436000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1048-1-0x00007FFD6BBA0000-0x00007FFD6C661000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1048-2-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1048-18-0x000000001B260000-0x000000001B409000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1048-21-0x00007FFD6BBA0000-0x00007FFD6C661000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2584-22-0x0000000000F90000-0x0000000000F96000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2584-20-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2584-24-0x000000001B620000-0x000000001B630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2584-25-0x000000001B620000-0x000000001B630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2584-26-0x000000001B620000-0x000000001B630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2584-19-0x00007FFD6BBA0000-0x00007FFD6C661000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2584-92-0x000000001BA60000-0x000000001BC09000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2584-93-0x00007FFD6BBA0000-0x00007FFD6C661000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2584-95-0x000000001B620000-0x000000001B630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2584-96-0x000000001B620000-0x000000001B630000-memory.dmp

      Filesize

      64KB

      Download