Resubmissions

11-09-2022 15:45

220911-s66x8sffap 10

21-10-2020 17:56

201021-l4bghzn2b2 10

Analysis

  • max time kernel
    136s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    21-10-2020 17:56

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below potentialenergy@mail.ru Key Identifier: BlDLIs4wzgDoTYIEMMCvweBKQMXgNYDM9ggNJQgtZzjpRuLtkCHG5p7iVoU/LG9TeH623icJzMryxecZlwnGkjZNupY5CL6nC/En+NpYtGKgHgUR5ZL83odx4bFs/rF6ZxqWxrC8X9+JZ88sm/37IAb1dp9CnSae01HuaWsmD2gt/L34ysM/0bXFqMEKkmnCZFt0V1P3LpSMszf7XvRCUi/XW403bjsTv/HtW8wu/AtnvP49tu19hOuFbw8D4yhgMuD++XNq+gSl/uuewL2kBtMeZQeULo0Lpvc1AZ7GObTXObHBuvrxnrNjx3XCt9yEiLi2qkuX7wTrP+mtfvwOplEeRjffx5/oshpgrIf/AJuMOrfeHWW/SDmX4Va/e0d+800rY58aT04X6Vz39OUMh8rgB5q4IUqT8QWWv66Rh/hpjcjCqZSUFUZDZvwe1C0zChYOeSZSnl623VekCeq+YzSgwU3SdNrchIvwW4Ob/LsJ0qIeHN3mvVlyh2RH3mPdojiL6WJHEYR8oRyhC2aSvwGGYHAlrj8Hqg7+MAvCbhrOKLJE4VA2jkggkm3g3keytAlWafs0Udr/SO945dMPIigrzbrsQDvUFNTU4G0CXnsojb4wwRA9Qim8zH8OTJ6u3Bhg/Xt5VPWytqACHOK7s/PApIBsfcjeTrjhS6RHp1Y= Number of files that were processed is: 1230
Emails

potentialenergy@mail.ru

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
        PID:3924
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
        2⤵
          PID:2172
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
            PID:3160
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SQLWriter start= disabled
            2⤵
              PID:512
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SstpSvc start= disabled
              2⤵
                PID:2976
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:820
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1060
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1192
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1544
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqbcoreservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1892
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM firefoxconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2584
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM agntsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3216
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3352
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM steam.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2240
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM encsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3816
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM excel.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2188
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM CNTAoSMgr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1992
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlwriter.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2156
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tbirdconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4124
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbeng50.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4176
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat64.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4260
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocomm.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4300
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM infopath.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4400
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mbamtray.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4460
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM zoolz.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4532
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" IM thunderbird.exe /F
                2⤵
                • Kills process with taskkill
                PID:4560
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbsnmp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4600
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM xfssvccon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4632
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4696
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM Ntrtscan.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4820
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM isqlplussvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4856
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM onenote.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4888
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM PccNTMon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4944
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msaccess.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2532
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM outlook.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4244
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tmlisten.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1236
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msftesql.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4648
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM powerpnt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4848
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4196
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM visio.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:644
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5148
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM winword.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5196
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld-nt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5224
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM wordpad.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5256
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld-opt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5384
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocautoupds.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5428
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocssd.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5480
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM oracle.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5524
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlagent.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5564
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlbrowser.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5588
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlservr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5628
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM synctime.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5676
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:5772
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                2⤵
                • Opens file in notepad (likely ransom note)
                • Suspicious use of FindShellTrayWindow
                PID:5964
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:5764
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:5960
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:5488
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    2⤵
                      PID:5868
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        3⤵
                          PID:5980

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Credential Access

                    Credentials in Files

                    1
                    T1081

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Remote System Discovery

                    1
                    T1018

                    Collection

                    Data from Local System

                    1
                    T1005

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      MD5

                      c6b0a774fa56e0169ed7bb7b25c114dd

                      SHA1

                      bcdba7d4ecfff2180510850e585b44691ea81ba5

                      SHA256

                      b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

                      SHA512

                      42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      MD5

                      3197ae8a27c9cfd9b5a16714b1e85c2f

                      SHA1

                      4a4c11ce61be1ac12fc5426b4cdb2d64f9548b6f

                      SHA256

                      bd5654dec9e9780a30d32d2fa011a7064097abc6a6ee0b92d8c65ad2b1b1415c

                      SHA512

                      4233a5a77ccd1a072db58b164219ab8c10d49c540ad4afcd44b7d28ef42d1b8cf7c4864025aa067f10e3f98911ae438832607f50c9a29e093331c3cc26d7bb3d

                    • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                      MD5

                      29f3da88069970b8303038682efd3a08

                      SHA1

                      4a690135809df6f594cca22efe4b9748a0f73cbf

                      SHA256

                      ecf076cf35c8cc03080b0124c52d3b936e10384978d4f26db57a499c82f63a1b

                      SHA512

                      c0d37705e3fe8f6395ff105e3377b8d0a052f124f7acdc173d6975ea1cc2fbc4ab149871f7a0b7cd6299c10b237b3b932e7a39f55055495422c066d162a1f6ae

                    • memory/512-6-0x0000000000000000-mapping.dmp
                    • memory/644-42-0x0000000000000000-mapping.dmp
                    • memory/820-8-0x0000000000000000-mapping.dmp
                    • memory/1060-9-0x0000000000000000-mapping.dmp
                    • memory/1192-10-0x0000000000000000-mapping.dmp
                    • memory/1236-38-0x0000000000000000-mapping.dmp
                    • memory/1544-11-0x0000000000000000-mapping.dmp
                    • memory/1892-12-0x0000000000000000-mapping.dmp
                    • memory/1992-19-0x0000000000000000-mapping.dmp
                    • memory/2156-20-0x0000000000000000-mapping.dmp
                    • memory/2172-4-0x0000000000000000-mapping.dmp
                    • memory/2188-18-0x0000000000000000-mapping.dmp
                    • memory/2240-16-0x0000000000000000-mapping.dmp
                    • memory/2532-36-0x0000000000000000-mapping.dmp
                    • memory/2584-13-0x0000000000000000-mapping.dmp
                    • memory/2976-7-0x0000000000000000-mapping.dmp
                    • memory/3160-5-0x0000000000000000-mapping.dmp
                    • memory/3216-14-0x0000000000000000-mapping.dmp
                    • memory/3352-15-0x0000000000000000-mapping.dmp
                    • memory/3816-17-0x0000000000000000-mapping.dmp
                    • memory/3904-1-0x0000000000980000-0x0000000000981000-memory.dmp
                      Filesize

                      4KB

                    • memory/3904-0-0x00007FF8E2780000-0x00007FF8E316C000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/3924-3-0x0000000000000000-mapping.dmp
                    • memory/4124-21-0x0000000000000000-mapping.dmp
                    • memory/4176-22-0x0000000000000000-mapping.dmp
                    • memory/4196-41-0x0000000000000000-mapping.dmp
                    • memory/4244-37-0x0000000000000000-mapping.dmp
                    • memory/4260-23-0x0000000000000000-mapping.dmp
                    • memory/4300-24-0x0000000000000000-mapping.dmp
                    • memory/4400-25-0x0000000000000000-mapping.dmp
                    • memory/4460-26-0x0000000000000000-mapping.dmp
                    • memory/4532-27-0x0000000000000000-mapping.dmp
                    • memory/4560-28-0x0000000000000000-mapping.dmp
                    • memory/4600-29-0x0000000000000000-mapping.dmp
                    • memory/4632-30-0x0000000000000000-mapping.dmp
                    • memory/4648-39-0x0000000000000000-mapping.dmp
                    • memory/4696-31-0x0000000000000000-mapping.dmp
                    • memory/4820-32-0x0000000000000000-mapping.dmp
                    • memory/4848-40-0x0000000000000000-mapping.dmp
                    • memory/4856-33-0x0000000000000000-mapping.dmp
                    • memory/4888-34-0x0000000000000000-mapping.dmp
                    • memory/4944-35-0x0000000000000000-mapping.dmp
                    • memory/5148-43-0x0000000000000000-mapping.dmp
                    • memory/5196-44-0x0000000000000000-mapping.dmp
                    • memory/5224-45-0x0000000000000000-mapping.dmp
                    • memory/5256-46-0x0000000000000000-mapping.dmp
                    • memory/5384-47-0x0000000000000000-mapping.dmp
                    • memory/5428-48-0x0000000000000000-mapping.dmp
                    • memory/5480-49-0x0000000000000000-mapping.dmp
                    • memory/5488-67-0x0000000000000000-mapping.dmp
                    • memory/5524-50-0x0000000000000000-mapping.dmp
                    • memory/5564-51-0x0000000000000000-mapping.dmp
                    • memory/5588-52-0x0000000000000000-mapping.dmp
                    • memory/5628-53-0x0000000000000000-mapping.dmp
                    • memory/5676-54-0x0000000000000000-mapping.dmp
                    • memory/5764-62-0x0000000000000000-mapping.dmp
                    • memory/5772-58-0x000002455CCE0000-0x000002455CCE1000-memory.dmp
                      Filesize

                      4KB

                    • memory/5772-57-0x0000024541E40000-0x0000024541E41000-memory.dmp
                      Filesize

                      4KB

                    • memory/5772-56-0x00007FF8E2780000-0x00007FF8E316C000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/5772-55-0x0000000000000000-mapping.dmp
                    • memory/5868-63-0x0000000000000000-mapping.dmp
                    • memory/5960-64-0x0000000000000000-mapping.dmp
                    • memory/5964-61-0x0000000000000000-mapping.dmp
                    • memory/5980-66-0x0000000000000000-mapping.dmp