Overview

overview

7

Static

static

1

Hanabira3.rar

windows10-1703-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/03/2024, 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hanabira3.rar

  • Size

    202.2MB

  • MD5

    419d94d19d466196670c125028e3a4a8

  • SHA1

    a4793bc2a2422bd488cd599787f827ad69887841

  • SHA256

    4d7d5fcb9738ae25a30d291d2222680ce54b99db592cbe21217fc0f85d8d2d26

  • SHA512

    db84c1fa1040b7d9d41c39eb197c8ea00dce4ab9f09990e23997ff337aa7cd2bda9237fe20cbc8a3407b23ecf05ea202a8ec0bcb6c3635d41d6a27a4c0250a30

  • SSDEEP

    3145728:T1/ltPrA4fKH5ZlFxKCOU8UilDjHu8y/Vi2yLR1xMu2OhG+YsNYcBM1xpYCw3sIH:TDWcKLMh9W/c2OxMGhGqNYT6RnraM

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Hanabira3.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Hanabira3.rar"
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Users\Admin\AppData\Local\Temp\7zO871475C7\HANABIRA3.EXE
        "C:\Users\Admin\AppData\Local\Temp\7zO871475C7\HANABIRA3.EXE"
        3⤵
        • Executes dropped EXE
        PID:4628
      • C:\Users\Admin\AppData\Local\Temp\7zO87137668\SH3_Esp.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO87137668\SH3_Esp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4612
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO8719F219\HANABIRA3.EXE"
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:5084
      • C:\Users\Admin\AppData\Local\Temp\7zO8712C769\HANABIRA3.EXE
        "C:\Users\Admin\AppData\Local\Temp\7zO8712C769\HANABIRA3.EXE"
        3⤵
        • Executes dropped EXE
        PID:1208
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO871C0249\Instrucciones.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:4264
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO87137668\SH3_Esp.exe
    Filesize

    51.9MB

    MD5

    9c85cfe189f495c752a8bf77f2ec11fa

    SHA1

    395dfb7154f927f2f3a125824c17a010db3aed87

    SHA256

    d63452af2e4b8b14d948e0bbaa5ec9846351dc111ae1c6959f991c5681f46ddf

    SHA512

    41360341450120450cb2308b9e52f20b80a02293bbaf78850a05b58c3e27db78a9d655fe630aa546241eb140400e09a4b5d4e13cbf5834ca9b3e6cfb6f9fdfc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zO871475C7\HANABIRA3.EXE
    Filesize

    1.7MB

    MD5

    65394041edc36494bd028e58eb7e89be

    SHA1

    23d1f8ab8d66f6fac16f00b3357a8f70c06c77ff

    SHA256

    5f6aafa02068eacab8293a44108458a7022e4870af7212e3e054f01f9763a659

    SHA512

    ce93d4f092ce2da6f2add00ceb3664f59f6e1346b9ef822c3f4d788d3b0a16d3d468aa6d076fdcb21d6c7e83b9e7fd529aee69c3858de920a31aa9b675eb668e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zO871C0249\Instrucciones.txt
    Filesize

    373B

    MD5

    04463000dd40d326b1ae09ca2a153374

    SHA1

    b494474d1617f70fb0ae6d548dc6db0e7e0dad04

    SHA256

    ed5e55dff622d4d8043d49216a527d32297b531b62f24185d214ce7c156f6ec1

    SHA512

    4302c22ed2d4fa947e8d4a039c6da3f3a043e845d944da10c1114c057c57c868790854336eacba72387954358ef73751ad9d70aa9cd1da06b6526a2dea70ffd1

    Download Submit

  • memory/4612-12-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download