hakbit | b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad

General

Target

AVTK_Win_Sybari.exe
Size

62KB
MD5

d5edd6b32296d1cee4829fb1499c8759
SHA1

b7f33bd8aeb6cdd59cbf88802938c6efc0108829
SHA256

b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
SHA512

8f320e8461691572dbe21f7ae4d96f067e4d2fb228de8c9b3be5325d43905d637438fd5aaed14e603ef73bb79b47d20e650dfb4b27dad74140a703a629884bf5

Score

10^/10

ransomware hakbit persistence spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ n4oC8V5pUjJ61XDU0XZo7S+2HV88Z+URAxPv7zEZsXchYOENWei2gK1g2Uk8m+0YKXrrQZ+6QjlXhMa/uEoAj8YK4T7nwDQaLZOG5vZr/btKFeZCKgZupLrISRA87jYL2gNt0fqe0Db0w5LYP5mSs+v6w7DslwJw5BtAeCVHbpz2ZL9v1jy+dD2asYjCwNsnfCqSa0H2h+IV8cBbZcgqUq08Cu2hZpv7VA7bjcT08pS2XesLojQ/X06v5ktwYgKapc/0eaAxEbbkUk80+4cbt/1qbqCSPGfJkDJ6Su55EoOVZc7I27c7l4Bx9tJGgsqBvuAurFWtTvsey8D+N+dg2A== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Emails

torsec1@secmail.pro

agarrard@protonmail.com

Signatures

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1668 notepad.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1668	notepad.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2439 IoCs

Processes:

AVTK_Win_Sybari.exe

pid	process
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe
3904	AVTK_Win_Sybari.exe

Runs net.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AVTK_Win_Sybari.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3904	AVTK_Win_Sybari.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeBackupPrivilege	2316	vssvc.exe
Token: SeRestorePrivilege	2316	vssvc.exe
Token: SeAuditPrivilege	2316	vssvc.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

AVTK_Win_Sybari.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3904 wrote to memory of 3876	3904	AVTK_Win_Sybari.exe	net.exe
PID 3904 wrote to memory of 3876	3904	AVTK_Win_Sybari.exe	net.exe
PID 3876 wrote to memory of 3828	3876	net.exe	net1.exe
PID 3876 wrote to memory of 3828	3876	net.exe	net1.exe
PID 3904 wrote to memory of 2564	3904	AVTK_Win_Sybari.exe	net.exe
PID 3904 wrote to memory of 2564	3904	AVTK_Win_Sybari.exe	net.exe
PID 2564 wrote to memory of 2612	2564	net.exe	net1.exe
PID 2564 wrote to memory of 2612	2564	net.exe	net1.exe
PID 3904 wrote to memory of 3284	3904	AVTK_Win_Sybari.exe	net.exe
PID 3904 wrote to memory of 3284	3904	AVTK_Win_Sybari.exe	net.exe
PID 3284 wrote to memory of 3352	3284	net.exe	net1.exe
PID 3284 wrote to memory of 3352	3284	net.exe	net1.exe
PID 3904 wrote to memory of 3428	3904	AVTK_Win_Sybari.exe	net.exe
PID 3904 wrote to memory of 3428	3904	AVTK_Win_Sybari.exe	net.exe
PID 3428 wrote to memory of 1708	3428	net.exe	net1.exe
PID 3428 wrote to memory of 1708	3428	net.exe	net1.exe
PID 3904 wrote to memory of 1552	3904	AVTK_Win_Sybari.exe	net.exe
PID 3904 wrote to memory of 1552	3904	AVTK_Win_Sybari.exe	net.exe
PID 1552 wrote to memory of 364	1552	net.exe	net1.exe
PID 1552 wrote to memory of 364	1552	net.exe	net1.exe
PID 3904 wrote to memory of 1956	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 1956	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 2904	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 2904	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 796	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 796	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 752	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 752	3904	AVTK_Win_Sybari.exe	sc.exe
PID 3904 wrote to memory of 3832	3904	AVTK_Win_Sybari.exe	taskkill.exe
PID 3904 wrote to memory of 3832	3904	AVTK_Win_Sybari.exe	taskkill.exe
PID 3904 wrote to memory of 1852	3904	AVTK_Win_Sybari.exe	taskkill.exe
PID 3904 wrote to memory of 1852	3904	AVTK_Win_Sybari.exe	taskkill.exe
PID 3904 wrote to memory of 344	3904	AVTK_Win_Sybari.exe	taskkill.exe
PID 3904 wrote to memory of 344	3904	AVTK_Win_Sybari.exe	taskkill.exe
PID 3904 wrote to memory of 3688	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3688	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 748	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 748	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3756	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3756	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3456	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3456	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3724	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3724	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 508	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 508	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 256	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 256	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 1752	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 1752	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3896	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3896	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 4004	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 4004	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3448	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3448	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 540	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 540	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3948	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3948	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 252	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 252	3904	AVTK_Win_Sybari.exe	vssadmin.exe
PID 3904 wrote to memory of 3784	3904	AVTK_Win_Sybari.exe	arp.exe
PID 3904 wrote to memory of 3784	3904	AVTK_Win_Sybari.exe	arp.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3832 taskkill.exe
1852 taskkill.exe
344 taskkill.exe

pid	process
3832	taskkill.exe
1852	taskkill.exe
344	taskkill.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
3896	vssadmin.exe
3448	vssadmin.exe
256	vssadmin.exe
3948	vssadmin.exe
3688	vssadmin.exe
3456	vssadmin.exe
3724	vssadmin.exe
1752	vssadmin.exe
4004	vssadmin.exe
748	vssadmin.exe
3756	vssadmin.exe
508	vssadmin.exe
540	vssadmin.exe
252	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\AVTK_Win_Sybari.exe
"C:\Users\Admin\AppData\Local\Temp\AVTK_Win_Sybari.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:3828

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:2612

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:3352

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1708

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:364

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1956

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:2904

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:796

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:752

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:3832

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1852

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:344

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3688

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:748

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3756

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:3456

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3724

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:508

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:256

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1752

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3896

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:4004

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3448

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:540

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3948

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:252

C:\Windows\SYSTEM32\arp.exe
"arp" -a
2⤵
PID:3784

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\AVTK_Win_Sybari.exe
2⤵
PID:1824