Overview

overview

10

Static

static

4984825fb2...24.exe

windows7_x64

10

4984825fb2...24.exe

windows10_x64

10

Analysis

  • max time kernel
    45s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe

  • Size

    423KB

  • MD5

    055c2fba242d03ae153be4a796c55ae2

  • SHA1

    be71b94e30d5465d8b72e1fc7c0137024f97baee

  • SHA256

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024

  • SHA512

    20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

Score
10/10
hakbitevasionpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is:1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ f+da7m2Qi+R5KKZiUmIbcO7YevBDfyOSy1bczkoXHfchkAZl8tqyez06PbyKjf1uTpHIATQvH1S8Kfi37BNbJdNBdWZLIoznDlbJ0T/4q+d9FmpAFWt3wxX69Y4wIXabqOG9Bi1lz+a/q69ve6ZG4ODsYhjJ7p0CInu8NKLlE0XvKviRY7s4Rm7LS/d5YNL/ONAPkXALnXQc4J6NlKDgoKrY969tjxzyky5ZBHmvnjibtUjmzo+FTdfMKBq0unmT3pkwyHme9abYH3wSipGQkQpsezmimeRvOLaTT77dxO6xJ7/6pFKZoTZq7IvOkSjGSuKTN3SdAobITUknEpS1Iw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 104
Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 3 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 102 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe
    "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe"
    1⤵
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\system32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:1956
      • C:\Windows\system32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:1772
        • C:\Windows\system32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:1768
          • C:\Windows\system32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1804
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:1660
            • C:\Windows\system32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1536
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:1692
              • C:\Windows\system32\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:1640
                • C:\Windows\system32\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:700
                  • C:\Windows\system32\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                    2⤵
                      PID:1256
                    • C:\Windows\system32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:1044
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mspub.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:560
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopqos.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1300
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopservice.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1220
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:1956
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                        2⤵
                        • Interacts with shadow copies
                        PID:944
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                        2⤵
                        • Interacts with shadow copies
                        PID:876
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1088
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2012
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1728
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:836
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1772
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1920
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1476
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1076
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1972
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:464
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:608
                      • C:\Windows\System32\notepad.exe
                        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        2⤵
                        • Opens file in notepad (likely ransom note)
                        PID:232
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe
                        2⤵
                        • Deletes itself
                        PID:1696
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          3⤵
                            PID:608
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Modifies service
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1512

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1824-0-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/1824-1-0x0000000000170000-0x0000000000171000-memory.dmp

                        Filesize

                        4KB

                        Download