Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
Size

423KB
Sample

201109-jzbbrsex6s
MD5

055c2fba242d03ae153be4a796c55ae2
SHA1

be71b94e30d5465d8b72e1fc7c0137024f97baee
SHA256

4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
SHA512

20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: daaaataaaaa@protonmail.com. Bitcoin wallet to make the transfer to is:1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ f+da7m2Qi+R5KKZiUmIbcO7YevBDfyOSy1bczkoXHfchkAZl8tqyez06PbyKjf1uTpHIATQvH1S8Kfi37BNbJdNBdWZLIoznDlbJ0T/4q+d9FmpAFWt3wxX69Y4wIXabqOG9Bi1lz+a/q69ve6ZG4ODsYhjJ7p0CInu8NKLlE0XvKviRY7s4Rm7LS/d5YNL/ONAPkXALnXQc4J6NlKDgoKrY969tjxzyky5ZBHmvnjibtUjmzo+FTdfMKBq0unmT3pkwyHme9abYH3wSipGQkQpsezmimeRvOLaTT77dxO6xJ7/6pFKZoTZq7IvOkSjGSuKTN3SdAobITUknEpS1Iw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 104

Emails

daaaataaaaa@protonmail.com

Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: daaaataaaaa@protonmail.com. Bitcoin wallet to make the transfer to is:1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ gH111l6/O6LnM/ocMWRjanz1ZLrBQzcWKIuj3CipZFUoo6csPEHMThHFESnc6N8aQ6Dz0ZVo8Gr7Gfszc7tdGQgXngHyl73du+RToEvJC5YkzPuddJrd4R579LIKmY/bxbnIhAyxqmENmZ+cZl0bW3aQaokqWf5rlPI3OEHaLUL5+TOHRTW/oUuByuccUbOMB15iT/E6x+35VIqhTT3y2ztl7X/hjePeLiu6R5rR7bbBCuwsPXvYjjKrOHEZgWYlVcSJuoRIiptTStp6wxx6hB6XNNVlVehZxFwLrxf0k7LSZOKWJL5O1oG8/I2S49XrpzE6bIRVj+piw96g1s8bZg== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 233

Emails

daaaataaaaa@protonmail.com

Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Targets

- Target
  
  4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
- Size
  
  423KB
- MD5
  
  055c2fba242d03ae153be4a796c55ae2
- SHA1
  
  be71b94e30d5465d8b72e1fc7c0137024f97baee
- SHA256
  
  4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
- SHA512
  
  20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890
Score

10^/10

hakbit evasion persistence ransomware spyware
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Initial Access

Lateral Movement

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Hakbit

Deletes shadow copies

Disables Task Manager via registry modification

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Enumerates connected drives

Modifies WinLogon

Modifies service

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2