Analysis
-
max time kernel
127s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:50
General
-
Target
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe
-
Size
423KB
-
MD5
055c2fba242d03ae153be4a796c55ae2
-
SHA1
be71b94e30d5465d8b72e1fc7c0137024f97baee
-
SHA256
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
-
SHA512
20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
Family
hakbit
Ransom Note
Atention! all your important files were encrypted!
to get your files back send 0.5 Bitcoins and contact us with proof of payment and your Unique Identifier Key.
We will send you a decryption tool with your personal decryption password.
Where can you buy Bitcoins:
https://www.coinbase.com
https://localbitcoins.com
Contact: daaaataaaaa@protonmail.com.
Bitcoin wallet to make the transfer to is:1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9
Unique Identifier Key (must be sent to us together with proof of payment):
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
gH111l6/O6LnM/ocMWRjanz1ZLrBQzcWKIuj3CipZFUoo6csPEHMThHFESnc6N8aQ6Dz0ZVo8Gr7Gfszc7tdGQgXngHyl73du+RToEvJC5YkzPuddJrd4R579LIKmY/bxbnIhAyxqmENmZ+cZl0bW3aQaokqWf5rlPI3OEHaLUL5+TOHRTW/oUuByuccUbOMB15iT/E6x+35VIqhTT3y2ztl7X/hjePeLiu6R5rR7bbBCuwsPXvYjjKrOHEZgWYlVcSJuoRIiptTStp6wxx6hB6XNNVlVehZxFwLrxf0k7LSZOKWJL5O1oG8/I2S49XrpzE6bIRVj+piw96g1s8bZg==
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Number of files that you could have potentially lost forever can be as high as: 233
Emails
daaaataaaaa@protonmail.com
Wallets
1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 68 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe"C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe"1⤵
- Modifies extensions of user files
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtMD5
c3d7ad70d1db9656197cee62e76604fe
SHA1b3cf90792c300abc1a0a0bca43147a62bda2905d
SHA256e19ed60af8e949958b60caf007c5d0f29d9e35387e0149196fbb7737cafe60cd
SHA512d4fb9ea7ff4568732989f52a4ed3b7a927c6b717992d70cdb919b243701e6535dd6e50e695fecb147692835dc0900cdef9dbd9dbb22a03163b7038880bc52174
-
memory/192-26-0x0000000000000000-mapping.dmp
-
memory/352-15-0x0000000000000000-mapping.dmp
-
memory/416-4-0x0000000000000000-mapping.dmp
-
memory/420-13-0x0000000000000000-mapping.dmp
-
memory/744-5-0x0000000000000000-mapping.dmp
-
memory/808-14-0x0000000000000000-mapping.dmp
-
memory/1096-29-0x0000000000000000-mapping.dmp
-
memory/1120-16-0x0000000000000000-mapping.dmp
-
memory/1316-17-0x0000000000000000-mapping.dmp
-
memory/1372-34-0x0000000000000000-mapping.dmp
-
memory/1504-28-0x0000000000000000-mapping.dmp
-
memory/1780-18-0x0000000000000000-mapping.dmp
-
memory/2152-21-0x0000000000000000-mapping.dmp
-
memory/2476-27-0x0000000000000000-mapping.dmp
-
memory/2544-25-0x0000000000000000-mapping.dmp
-
memory/2548-32-0x0000000000000000-mapping.dmp
-
memory/2596-24-0x0000000000000000-mapping.dmp
-
memory/2720-22-0x0000000000000000-mapping.dmp
-
memory/3364-31-0x0000000000000000-mapping.dmp
-
memory/3484-3-0x0000000000000000-mapping.dmp
-
memory/3644-23-0x0000000000000000-mapping.dmp
-
memory/3848-8-0x0000000000000000-mapping.dmp
-
memory/4016-20-0x0000000000000000-mapping.dmp
-
memory/4052-36-0x0000000000000000-mapping.dmp
-
memory/4068-9-0x0000000000000000-mapping.dmp
-
memory/4176-10-0x0000000000000000-mapping.dmp
-
memory/4204-11-0x0000000000000000-mapping.dmp
-
memory/4244-6-0x0000000000000000-mapping.dmp
-
memory/4312-33-0x0000000000000000-mapping.dmp
-
memory/4336-12-0x0000000000000000-mapping.dmp
-
memory/4400-7-0x0000000000000000-mapping.dmp
-
memory/4424-37-0x0000000000000000-mapping.dmp
-
memory/4428-19-0x0000000000000000-mapping.dmp
-
memory/4668-30-0x0000000000000000-mapping.dmp
-
memory/4772-0-0x00007FFF465C0000-0x00007FFF46FAC000-memory.dmpFilesize
9.9MB
-
memory/4772-1-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB