Resubmissions

11-09-2022 15:45

220911-s66x8sffap 10

21-10-2020 17:56

201021-l4bghzn2b2 10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    21-10-2020 17:56

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below potentialenergy@mail.ru Key Identifier: M13QXKon7C2hkmKC2rgNCHGj5mjFsrhjl+ySO6RMmlJPOxmPQlUIJq2A78fYplgtNaKD0yMxcUuZ4Xhc6NjsXaRiUda+D9j2akL4mdsBmcdpDY/oBfmrGkd/F7D2XYLWs+BrcrGuTNuJkT2MrA9ClBuFN+Qn4imadXWf83wdDThSgRupEt8+3no5Q04HrGM1psRfpqWz1LLmjSKkSojdEtcwpmMul1OTxbtGcy2kVFcnk8+J6bflIhtnwJiauBC0+N7hmGE22aR24kFhZLzlU7e07AwuMa0LBp8Rm+XqLJD/01WUAYDTjv4L+6rmFPXyQx5dl+DE6eJ0yYbH0V5ufZ11q/Ifol3niHIo2ZtDJTdMpPlyH9no4/GU2Yf90GPSozBVGh3c5W4PR3AwMjWXKfX1Zh8acH6BeVJHVbiXLznCsGZNo5PVCkEVH64d39d3HEzN3mA6WUipKiA0dbTxyIyw+gf5hBScbsidlnxhCu9GS95p6hmdR1t8Lskc3vUP1zgrq+G89FCqvipwMN1MiABUhTHyMLvkl3HfmL7EutwJX8JnJPJqnI98nFG1rNx9dIe8Xo1MaiAmq0j61XJTpOe42Ll7+Ui+LooUHbMbpBJ/BUBaaRkdHZId+52teVRQ9wHoLtis+ZqcLt9u4U2GQJHQam7O/N99JxI0quEElNc= Number of files that were processed is: 406
Emails

potentialenergy@mail.ru

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
        PID:1852
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
          PID:1872
        • C:\Windows\system32\sc.exe
          "sc.exe" config SQLWriter start= disabled
          2⤵
            PID:1888
          • C:\Windows\system32\sc.exe
            "sc.exe" config SstpSvc start= disabled
            2⤵
              PID:1212
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
              2⤵
                PID:1876
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1800
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1660
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1668
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mysqld.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1552
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM sqbcoreservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1572
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM firefoxconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1916
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM agntsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1928
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM thebat.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2016
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM steam.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1980
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM encsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:828
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM excel.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1272
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM CNTAoSMgr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:856
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM sqlwriter.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2040
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM tbirdconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1408
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM dbeng50.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:968
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM thebat64.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:672
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM ocomm.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1688
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM infopath.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1420
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mbamtray.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:396
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM zoolz.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:112
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" IM thunderbird.exe /F
                2⤵
                • Kills process with taskkill
                PID:624
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM dbsnmp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1820
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM xfssvccon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1084
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1564
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM Ntrtscan.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1804
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM isqlplussvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2052
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM onenote.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2084
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM PccNTMon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2124
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM msaccess.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM outlook.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2200
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM tmlisten.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2216
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM msftesql.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2248
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM powerpnt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2264
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2288
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM visio.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2340
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2364
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM winword.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2392
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mysqld-nt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2424
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM wordpad.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2468
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM mysqld-opt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2496
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM ocautoupds.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2520
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM ocssd.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2536
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM oracle.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2564
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM sqlagent.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2588
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM sqlbrowser.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2612
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM sqlservr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2636
              • C:\Windows\system32\taskkill.exe
                "taskkill.exe" /IM synctime.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2672
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2696
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                2⤵
                • Opens file in notepad (likely ransom note)
                PID:1372
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:1080
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:2632
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:3900
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    2⤵
                    • Deletes itself
                    PID:1856
                    • C:\Windows\system32\choice.exe
                      choice /C Y /N /D Y /T 3
                      3⤵
                        PID:2268

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Credential Access

                  Credentials in Files

                  1
                  T1081

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Remote System Discovery

                  1
                  T1018

                  Collection

                  Data from Local System

                  1
                  T1005

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                    MD5

                    1a4147f7e232ed003611eb4fc17ed0b8

                    SHA1

                    60c2e8ff1cc718316ff3a1cb2ba82ba372d848d3

                    SHA256

                    379a636cc636f401612333ef987656defd7be9a80fa4718cb5b81c786fcb9160

                    SHA512

                    54e4327974ed657f01e6e08261379633532b51029f73851ac74d0c7f29c8d45328563311b4e6d88c6d59046314031f652edfbb3a3cad939da731561b7954eb70

                  • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                    MD5

                    959a8cd3f017d8a1dcdc25c218d73de3

                    SHA1

                    7e86f45508db66c4421a7ca95b9436dba8f2ab28

                    SHA256

                    87dd03a96b94afeac8fac544c71467550680fe6ced239bbc6dd368357c67f894

                    SHA512

                    cbb39c3adfd749a25e7daf2a5bf0077b3695bcb892c682433a701897410e9da46419b122c435aee20fbdb48dfc2baef9b663ade387a76f05f0a2c8eab6239e6f

                  • memory/112-27-0x0000000000000000-mapping.dmp
                  • memory/316-1-0x00000000008F0000-0x00000000008F1000-memory.dmp
                    Filesize

                    4KB

                  • memory/316-0-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp
                    Filesize

                    9MB

                  • memory/396-26-0x0000000000000000-mapping.dmp
                  • memory/624-28-0x0000000000000000-mapping.dmp
                  • memory/672-23-0x0000000000000000-mapping.dmp
                  • memory/828-17-0x0000000000000000-mapping.dmp
                  • memory/856-19-0x0000000000000000-mapping.dmp
                  • memory/968-22-0x0000000000000000-mapping.dmp
                  • memory/1080-63-0x0000000000000000-mapping.dmp
                  • memory/1084-30-0x0000000000000000-mapping.dmp
                  • memory/1212-6-0x0000000000000000-mapping.dmp
                  • memory/1272-18-0x0000000000000000-mapping.dmp
                  • memory/1372-62-0x0000000000000000-mapping.dmp
                  • memory/1408-21-0x0000000000000000-mapping.dmp
                  • memory/1420-25-0x0000000000000000-mapping.dmp
                  • memory/1552-11-0x0000000000000000-mapping.dmp
                  • memory/1564-31-0x0000000000000000-mapping.dmp
                  • memory/1572-12-0x0000000000000000-mapping.dmp
                  • memory/1660-9-0x0000000000000000-mapping.dmp
                  • memory/1668-10-0x0000000000000000-mapping.dmp
                  • memory/1688-24-0x0000000000000000-mapping.dmp
                  • memory/1800-8-0x0000000000000000-mapping.dmp
                  • memory/1804-32-0x0000000000000000-mapping.dmp
                  • memory/1820-29-0x0000000000000000-mapping.dmp
                  • memory/1852-3-0x0000000000000000-mapping.dmp
                  • memory/1856-64-0x0000000000000000-mapping.dmp
                  • memory/1872-4-0x0000000000000000-mapping.dmp
                  • memory/1876-7-0x0000000000000000-mapping.dmp
                  • memory/1888-5-0x0000000000000000-mapping.dmp
                  • memory/1916-13-0x0000000000000000-mapping.dmp
                  • memory/1928-14-0x0000000000000000-mapping.dmp
                  • memory/1980-16-0x0000000000000000-mapping.dmp
                  • memory/2016-15-0x0000000000000000-mapping.dmp
                  • memory/2040-20-0x0000000000000000-mapping.dmp
                  • memory/2052-33-0x0000000000000000-mapping.dmp
                  • memory/2084-34-0x0000000000000000-mapping.dmp
                  • memory/2124-35-0x0000000000000000-mapping.dmp
                  • memory/2164-36-0x0000000000000000-mapping.dmp
                  • memory/2200-37-0x0000000000000000-mapping.dmp
                  • memory/2216-38-0x0000000000000000-mapping.dmp
                  • memory/2248-39-0x0000000000000000-mapping.dmp
                  • memory/2264-40-0x0000000000000000-mapping.dmp
                  • memory/2268-67-0x0000000000000000-mapping.dmp
                  • memory/2288-41-0x0000000000000000-mapping.dmp
                  • memory/2340-42-0x0000000000000000-mapping.dmp
                  • memory/2364-43-0x0000000000000000-mapping.dmp
                  • memory/2392-44-0x0000000000000000-mapping.dmp
                  • memory/2424-45-0x0000000000000000-mapping.dmp
                  • memory/2468-46-0x0000000000000000-mapping.dmp
                  • memory/2496-47-0x0000000000000000-mapping.dmp
                  • memory/2520-48-0x0000000000000000-mapping.dmp
                  • memory/2536-49-0x0000000000000000-mapping.dmp
                  • memory/2564-50-0x0000000000000000-mapping.dmp
                  • memory/2588-51-0x0000000000000000-mapping.dmp
                  • memory/2612-52-0x0000000000000000-mapping.dmp
                  • memory/2632-65-0x0000000000000000-mapping.dmp
                  • memory/2636-53-0x0000000000000000-mapping.dmp
                  • memory/2672-54-0x0000000000000000-mapping.dmp
                  • memory/2696-55-0x0000000000000000-mapping.dmp
                  • memory/2696-60-0x0000000002700000-0x0000000002701000-memory.dmp
                    Filesize

                    4KB

                  • memory/2696-59-0x00000000026D0000-0x00000000026D1000-memory.dmp
                    Filesize

                    4KB

                  • memory/2696-58-0x000000001AB50000-0x000000001AB51000-memory.dmp
                    Filesize

                    4KB

                  • memory/2696-57-0x0000000002380000-0x0000000002381000-memory.dmp
                    Filesize

                    4KB

                  • memory/2696-56-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp
                    Filesize

                    9MB

                  • memory/3900-68-0x0000000000000000-mapping.dmp