Analysis
-
max time kernel
188s -
max time network
98s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-05-2020 11:39
Static task
static1
Behavioral task
behavioral1
Sample
client.exe
Resource
win7v200430
General
-
Target
client.exe
-
Size
61KB
-
MD5
b8edb3062e489a16fd49868c18731a55
-
SHA1
018a392975a8731735ef709e6418e5af19db3756
-
SHA256
f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
-
SHA512
6793968fab16a332217cff0a876a6e1355859b4dabb93a6362eec3412d029d7c7e3c957e136dfaa1f984527710cdef01abc27072f66ba45ded6758471a04fa12
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
Contact: servocrypt@tutanota.com
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Suspicious use of WriteProcessMemory 384 IoCs
Processes:
client.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1292 wrote to memory of 1312 1292 client.exe net.exe PID 1292 wrote to memory of 1312 1292 client.exe net.exe PID 1292 wrote to memory of 1312 1292 client.exe net.exe PID 1292 wrote to memory of 1312 1292 client.exe net.exe PID 1312 wrote to memory of 1412 1312 net.exe net1.exe PID 1312 wrote to memory of 1412 1312 net.exe net1.exe PID 1312 wrote to memory of 1412 1312 net.exe net1.exe PID 1312 wrote to memory of 1412 1312 net.exe net1.exe PID 1292 wrote to memory of 1444 1292 client.exe net.exe PID 1292 wrote to memory of 1444 1292 client.exe net.exe PID 1292 wrote to memory of 1444 1292 client.exe net.exe PID 1292 wrote to memory of 1444 1292 client.exe net.exe PID 1444 wrote to memory of 1560 1444 net.exe net1.exe PID 1444 wrote to memory of 1560 1444 net.exe net1.exe PID 1444 wrote to memory of 1560 1444 net.exe net1.exe PID 1444 wrote to memory of 1560 1444 net.exe net1.exe PID 1292 wrote to memory of 288 1292 client.exe net.exe PID 1292 wrote to memory of 288 1292 client.exe net.exe PID 1292 wrote to memory of 288 1292 client.exe net.exe PID 1292 wrote to memory of 288 1292 client.exe net.exe PID 288 wrote to memory of 900 288 net.exe net1.exe PID 288 wrote to memory of 900 288 net.exe net1.exe PID 288 wrote to memory of 900 288 net.exe net1.exe PID 288 wrote to memory of 900 288 net.exe net1.exe PID 1292 wrote to memory of 376 1292 client.exe net.exe PID 1292 wrote to memory of 376 1292 client.exe net.exe PID 1292 wrote to memory of 376 1292 client.exe net.exe PID 1292 wrote to memory of 376 1292 client.exe net.exe PID 376 wrote to memory of 324 376 net.exe net1.exe PID 376 wrote to memory of 324 376 net.exe net1.exe PID 376 wrote to memory of 324 376 net.exe net1.exe PID 376 wrote to memory of 324 376 net.exe net1.exe PID 1292 wrote to memory of 752 1292 client.exe net.exe PID 1292 wrote to memory of 752 1292 client.exe net.exe PID 1292 wrote to memory of 752 1292 client.exe net.exe PID 1292 wrote to memory of 752 1292 client.exe net.exe PID 752 wrote to memory of 1064 752 net.exe net1.exe PID 752 wrote to memory of 1064 752 net.exe net1.exe PID 752 wrote to memory of 1064 752 net.exe net1.exe PID 752 wrote to memory of 1064 752 net.exe net1.exe PID 1292 wrote to memory of 1044 1292 client.exe net.exe PID 1292 wrote to memory of 1044 1292 client.exe net.exe PID 1292 wrote to memory of 1044 1292 client.exe net.exe PID 1292 wrote to memory of 1044 1292 client.exe net.exe PID 1044 wrote to memory of 1520 1044 net.exe net1.exe PID 1044 wrote to memory of 1520 1044 net.exe net1.exe PID 1044 wrote to memory of 1520 1044 net.exe net1.exe PID 1044 wrote to memory of 1520 1044 net.exe net1.exe PID 1292 wrote to memory of 1508 1292 client.exe net.exe PID 1292 wrote to memory of 1508 1292 client.exe net.exe PID 1292 wrote to memory of 1508 1292 client.exe net.exe PID 1292 wrote to memory of 1508 1292 client.exe net.exe PID 1508 wrote to memory of 1356 1508 net.exe net1.exe PID 1508 wrote to memory of 1356 1508 net.exe net1.exe PID 1508 wrote to memory of 1356 1508 net.exe net1.exe PID 1508 wrote to memory of 1356 1508 net.exe net1.exe PID 1292 wrote to memory of 1368 1292 client.exe net.exe PID 1292 wrote to memory of 1368 1292 client.exe net.exe PID 1292 wrote to memory of 1368 1292 client.exe net.exe PID 1292 wrote to memory of 1368 1292 client.exe net.exe PID 1368 wrote to memory of 1796 1368 net.exe net1.exe PID 1368 wrote to memory of 1796 1368 net.exe net1.exe PID 1368 wrote to memory of 1796 1368 net.exe net1.exe PID 1368 wrote to memory of 1796 1368 net.exe net1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client.exepid process 1292 client.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
client.exepid process 1292 client.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1744 1292 WerFault.exe client.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1896 taskkill.exe 1092 taskkill.exe 1484 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1792 notepad.exe -
Runs net.exe
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1772 vssadmin.exe 1764 vssadmin.exe 1072 vssadmin.exe 1540 vssadmin.exe 2040 vssadmin.exe 1336 vssadmin.exe 1784 vssadmin.exe 1320 vssadmin.exe 1032 vssadmin.exe 1512 vssadmin.exe 1580 vssadmin.exe 1944 vssadmin.exe 1408 vssadmin.exe 1504 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
client.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1292 client.exe Token: SeDebugPrivilege 1896 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeBackupPrivilege 756 vssvc.exe Token: SeRestorePrivilege 756 vssvc.exe Token: SeAuditPrivilege 756 vssvc.exe Token: SeDebugPrivilege 1744 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\arp.exe"arp" -a2⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 6042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵