Overview
overview
10Static
static
10ransomware...3n.exe
windows7-x64
ransomware...3n.exe
windows10-2004-x64
ransomware...le.exe
windows7-x64
ransomware...le.exe
windows10-2004-x64
ransomware...it.exe
windows7-x64
10ransomware...it.exe
windows10-2004-x64
10ransomware...le.exe
windows10-2004-x64
10ransomware... 5.exe
windows7-x64
10ransomware... 5.exe
windows10-2004-x64
10ransomware...de.exe
windows7-x64
10ransomware...de.exe
windows10-2004-x64
10ransomware...ck.exe
windows7-x64
7ransomware...ck.exe
windows10-2004-x64
7ransomware...ye.exe
windows7-x64
6ransomware...ye.exe
windows10-2004-x64
6ransomware...ap.exe
windows7-x64
6ransomware...ap.exe
windows10-2004-x64
6ransomware...ya.exe
windows7-x64
6ransomware...ya.exe
windows10-2004-x64
6ransomware...om.exe
windows7-x64
10ransomware...om.exe
windows10-2004-x64
10ransomware...ab.exe
windows7-x64
10ransomware...ab.exe
windows10-2004-x64
10ransomware...ye.exe
windows7-x64
10ransomware...ye.exe
windows10-2004-x64
10ransomware...ni.exe
windows7-x64
10ransomware...ni.exe
windows10-2004-x64
10ransomware...pt.exe
windows7-x64
10ransomware...pt.exe
windows10-2004-x64
10ransomware...ya.exe
windows7-x64
7ransomware...ya.exe
windows10-2004-x64
7ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
152s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ransomwares/Birele/Birele.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral9
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
ransomwares/Darkside/Darkside.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral11
Sample
ransomwares/Darkside/Darkside.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral13
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral15
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral17
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral19
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
ransomwares/Fantom/Fantom.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
ransomwares/Fantom/Fantom.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral25
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral31
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
ransomwares/Krotten/Krotten.exe
Resource
win7-20240220-en
windows7-x64
General
-
Target
ransomwares/Huzuni/Huzuni.exe
-
Size
65KB
-
MD5
e988915eb5706f5eeea7b684eec41a85
-
SHA1
05d11b2d393e68af9200fd23eee1ccc0f5850289
-
SHA256
06b8827fc8494e0e7b284a8dcb704e38169347fb857e4114813a2b8db206ec2c
-
SHA512
2b8a784fb2333c1b2313eb557dd0bc551403ff0ce9be5422241e5274ae2028487f1a4386fb098cb93bcb633cdefedc8bade80501ac919248455d53c974ab3e22
-
SSDEEP
1536:rmFEdOkJa9HLSQyzboPGRyfbYPstUKEMzL0HPV1vsHTV1:zwpi/5yFuKEM30HP7vsHT7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" Huzuni.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Huzuni.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 3004 Huzuni.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2092 vssadmin.exe 1400 vssadmin.exe 2408 vssadmin.exe 1364 vssadmin.exe 2660 vssadmin.exe 2872 vssadmin.exe 2648 vssadmin.exe 2044 vssadmin.exe 2120 vssadmin.exe 1808 vssadmin.exe 2748 vssadmin.exe 1868 vssadmin.exe 436 vssadmin.exe 3000 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe 3004 Huzuni.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 2396 vssvc.exe Token: SeRestorePrivilege 2396 vssvc.exe Token: SeAuditPrivilege 2396 vssvc.exe Token: SeDebugPrivilege 3004 Huzuni.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2980 wrote to memory of 3004 2980 Huzuni.exe 28 PID 2980 wrote to memory of 3004 2980 Huzuni.exe 28 PID 2980 wrote to memory of 3004 2980 Huzuni.exe 28 PID 2980 wrote to memory of 1180 2980 Huzuni.exe 29 PID 2980 wrote to memory of 1180 2980 Huzuni.exe 29 PID 2980 wrote to memory of 1180 2980 Huzuni.exe 29 PID 1180 wrote to memory of 2660 1180 cmd.exe 31 PID 1180 wrote to memory of 2660 1180 cmd.exe 31 PID 1180 wrote to memory of 2660 1180 cmd.exe 31 PID 3004 wrote to memory of 2384 3004 Huzuni.exe 33 PID 3004 wrote to memory of 2384 3004 Huzuni.exe 33 PID 3004 wrote to memory of 2384 3004 Huzuni.exe 33 PID 1180 wrote to memory of 1400 1180 cmd.exe 37 PID 1180 wrote to memory of 1400 1180 cmd.exe 37 PID 1180 wrote to memory of 1400 1180 cmd.exe 37 PID 1180 wrote to memory of 2748 1180 cmd.exe 38 PID 1180 wrote to memory of 2748 1180 cmd.exe 38 PID 1180 wrote to memory of 2748 1180 cmd.exe 38 PID 1180 wrote to memory of 2408 1180 cmd.exe 39 PID 1180 wrote to memory of 2408 1180 cmd.exe 39 PID 1180 wrote to memory of 2408 1180 cmd.exe 39 PID 1180 wrote to memory of 2872 1180 cmd.exe 40 PID 1180 wrote to memory of 2872 1180 cmd.exe 40 PID 1180 wrote to memory of 2872 1180 cmd.exe 40 PID 1180 wrote to memory of 2648 1180 cmd.exe 41 PID 1180 wrote to memory of 2648 1180 cmd.exe 41 PID 1180 wrote to memory of 2648 1180 cmd.exe 41 PID 1180 wrote to memory of 3000 1180 cmd.exe 42 PID 1180 wrote to memory of 3000 1180 cmd.exe 42 PID 1180 wrote to memory of 3000 1180 cmd.exe 42 PID 1180 wrote to memory of 2044 1180 cmd.exe 43 PID 1180 wrote to memory of 2044 1180 cmd.exe 43 PID 1180 wrote to memory of 2044 1180 cmd.exe 43 PID 1180 wrote to memory of 2120 1180 cmd.exe 44 PID 1180 wrote to memory of 2120 1180 cmd.exe 44 PID 1180 wrote to memory of 2120 1180 cmd.exe 44 PID 1180 wrote to memory of 2092 1180 cmd.exe 45 PID 1180 wrote to memory of 2092 1180 cmd.exe 45 PID 1180 wrote to memory of 2092 1180 cmd.exe 45 PID 1180 wrote to memory of 1868 1180 cmd.exe 46 PID 1180 wrote to memory of 1868 1180 cmd.exe 46 PID 1180 wrote to memory of 1868 1180 cmd.exe 46 PID 1180 wrote to memory of 436 1180 cmd.exe 47 PID 1180 wrote to memory of 436 1180 cmd.exe 47 PID 1180 wrote to memory of 436 1180 cmd.exe 47 PID 1180 wrote to memory of 1808 1180 cmd.exe 48 PID 1180 wrote to memory of 1808 1180 cmd.exe 48 PID 1180 wrote to memory of 1808 1180 cmd.exe 48 PID 1180 wrote to memory of 1364 1180 cmd.exe 49 PID 1180 wrote to memory of 1364 1180 cmd.exe 49 PID 1180 wrote to memory of 1364 1180 cmd.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe"C:\Users\Admin\AppData\Local\Temp\ransomwares\Huzuni\Huzuni.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Huzuni.exe"C:\Huzuni.exe"2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /takeown /f C:\Windows\System32\Taskmgr.exe && icacls C:\Windows\System32\Taskmgr.exe /grant %username%:F && del C:\Windows\System32\Taskmgr.exe && exit3⤵PID:2384
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\window.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\vssadmin.exevssadmin Delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2660
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:1400
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2748
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2408
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2872
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2648
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3000
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2044
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2120
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2092
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1868
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:436
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1808
-
-
C:\Windows\system32\vssadmin.exevssadmin Delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1364
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5ea9c5fca65378fe641a1b708187a582f
SHA1c7dba2587ffd02071fe12fdec646d70cf86d7f9e
SHA2560ce2f58a1b2c0d87c054ef212914d84ffeac59243b4a8a3a9c615c876638d87d
SHA5121006b532ad2df8532be3fe651d24908e0b83240bf5af4ef52ba6341d56eac93fc35d75ae499b0f473354e3fc100d629a22daae206e4d05124842135559ca64ec
-
Filesize
1KB
MD59dba906094ee0f15f38e0640e5923270
SHA10118a885480cd04c5a4310fd3d39251dd769a3a5
SHA2560e79efbeae919d458e637000c20e4e71ddb916903527c593248038a78358f57d
SHA512e6985edc821486ce4ef0f467f348734ccab4aa1bacf961c4168de4e881960954a2c2c503824c9cc9f639ad9fff2e2df79241a75bf84cae99028082bdceee28e9