Resubmissions

22-11-2023 17:02

231122-vkac9adg64 10

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

  • max time kernel
    305s
  • max time network
    381s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 13:14

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: oXDGKQK45IR5DjQ7fqtBGO8nBjmz9kOrbn2wtKMU/UeKZv0atyEJ6RZxPHpG9nbHu2NGCX+2HM74L5ypLubectZpjfoeR6qkCU1CSGblmAonaWgskRIjRylm2/JTFPh6I5qDpyNT9DceakbVn2BUfljaPrHoyNKTGcMsFqEqi/y5NB3i7211ksgJi3K9u5LCvsIcWqW8PvgNy0Ah+QPo/PMDGEESCWxlwApisTVcPjUd2UOTR0DhvT54wCET5inxnbxTSBTuZfUjIi2Y6jbKkL/hRiK4nApLH8T+oTy5gFZaVbU8UNnoGY8weQZmLQrxO4YPYiRUkB/v9Hy2gAEf9Xa5bxLeH56XuoGBZgPtrnC0L4yTemHofZwwCK5SipB0NPEnv6mU07cKQtlBlUy1Y04eEsvK6BPnaz+J3whD2KH7xOL51D/Q5TKhavcv4gPF/9dcTTBgC8j3IHHXLdWSoNmtd5+VCWKZF77+dDl2EHsKsdXFay40pmGqlbmMcwO3qtxo4b3Yg3doocsv6h+rfm/QgG7ciNuVZpo1ybx58FTWH9XgaHAwqH+CEaverTzy7/G2QNIqY8qrhzyUagDT7oLf5k4fe1p1rU9CM6oVhjV+EiMtE4HecN5UmVsps9jBD1XRfYaGe7MD3BUQ6Wu5hbanfu8fXcx08sVyHeUBOW0= Number of files that were processed is: 1231

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
        PID:5104
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
        2⤵
          PID:3008
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
            PID:972
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SQLWriter start= disabled
            2⤵
              PID:988
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SstpSvc start= disabled
              2⤵
                PID:3544
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:420
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2792
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:724
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4308
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqbcoreservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3220
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM firefoxconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3860
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM agntsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4200
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4196
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM steam.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4348
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM encsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:652
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM excel.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:980
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM CNTAoSMgr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1104
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlwriter.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1608
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tbirdconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1804
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbeng50.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1092
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat64.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2268
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocomm.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2456
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM infopath.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2960
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mbamtray.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4460
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM zoolz.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2004
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" IM thunderbird.exe /F
                2⤵
                • Kills process with taskkill
                PID:4552
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbsnmp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4624
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM xfssvccon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3644
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4752
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM Ntrtscan.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4736
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM isqlplussvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:200
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM onenote.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3816
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM PccNTMon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4680
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msaccess.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1392
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM outlook.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2788
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tmlisten.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2040
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msftesql.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3948
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM powerpnt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5112
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3712
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM visio.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4152
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3624
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM winword.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3192
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld-nt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4204
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM wordpad.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3800
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld-opt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:616
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocautoupds.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4456
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocssd.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1676
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM oracle.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4292
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlagent.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4468
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlbrowser.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2784
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlservr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5040
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM synctime.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4220
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3544
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                2⤵
                • Opens file in notepad (likely ransom note)
                • Suspicious use of FindShellTrayWindow
                PID:4528
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:616
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:3336
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:5816
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    2⤵
                      PID:4204
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        3⤵
                          PID:4748

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Credential Access

                    Credentials in Files

                    1
                    T1081

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Remote System Discovery

                    1
                    T1018

                    Collection

                    Data from Local System

                    1
                    T1005

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      MD5

                      c6b0a774fa56e0169ed7bb7b25c114dd

                      SHA1

                      bcdba7d4ecfff2180510850e585b44691ea81ba5

                      SHA256

                      b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

                      SHA512

                      42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      MD5

                      2a84a6a6c326f285e6e21096b12bd969

                      SHA1

                      9be8d1dc219dc1cfda315acf8680af06173cf696

                      SHA256

                      f67d9a6332817ae22e0000b3a6ac0b4b5369802bfb935a3e8cdb75668bcd9776

                      SHA512

                      a2503237b630c1df259791c7060942c14698274772ffd3d89ba92e96fca3daa25e27fae8fcb53766cfd6e5fb2adbc83a9cf62ceb722bb505e603c54eb3f66931

                    • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                      MD5

                      1be2f1bf18c999a73d0e09f1f05caf69

                      SHA1

                      b6ce5de5c5f12d43ab2378fc291b097a82b65d9f

                      SHA256

                      b3afeebc76faaeeb1fd7694c1cd40e41e71bae5173049d26f6439b3721080621

                      SHA512

                      ff38872c3d32fb9590d13678e771d6babeb37a670957d658c4450252b7767f89db291c7d1d4f271367d3e70367b5010a1346f02b89d83f86cf60b4245a45cd87

                    • memory/200-33-0x0000000000000000-mapping.dmp
                    • memory/420-8-0x0000000000000000-mapping.dmp
                    • memory/616-62-0x0000000000000000-mapping.dmp
                    • memory/616-47-0x0000000000000000-mapping.dmp
                    • memory/652-17-0x0000000000000000-mapping.dmp
                    • memory/724-10-0x0000000000000000-mapping.dmp
                    • memory/972-5-0x0000000000000000-mapping.dmp
                    • memory/980-18-0x0000000000000000-mapping.dmp
                    • memory/988-6-0x0000000000000000-mapping.dmp
                    • memory/1092-22-0x0000000000000000-mapping.dmp
                    • memory/1104-19-0x0000000000000000-mapping.dmp
                    • memory/1392-36-0x0000000000000000-mapping.dmp
                    • memory/1608-20-0x0000000000000000-mapping.dmp
                    • memory/1676-49-0x0000000000000000-mapping.dmp
                    • memory/1804-21-0x0000000000000000-mapping.dmp
                    • memory/2004-27-0x0000000000000000-mapping.dmp
                    • memory/2040-38-0x0000000000000000-mapping.dmp
                    • memory/2268-23-0x0000000000000000-mapping.dmp
                    • memory/2456-24-0x0000000000000000-mapping.dmp
                    • memory/2784-52-0x0000000000000000-mapping.dmp
                    • memory/2788-37-0x0000000000000000-mapping.dmp
                    • memory/2792-9-0x0000000000000000-mapping.dmp
                    • memory/2960-25-0x0000000000000000-mapping.dmp
                    • memory/3008-4-0x0000000000000000-mapping.dmp
                    • memory/3192-44-0x0000000000000000-mapping.dmp
                    • memory/3220-12-0x0000000000000000-mapping.dmp
                    • memory/3336-65-0x0000000000000000-mapping.dmp
                    • memory/3544-56-0x00007FF9427B0000-0x00007FF94319C000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/3544-55-0x0000000000000000-mapping.dmp
                    • memory/3544-57-0x000002B679AD0000-0x000002B679AD1000-memory.dmp
                      Filesize

                      4KB

                    • memory/3544-58-0x000002B679C80000-0x000002B679C81000-memory.dmp
                      Filesize

                      4KB

                    • memory/3544-7-0x0000000000000000-mapping.dmp
                    • memory/3624-43-0x0000000000000000-mapping.dmp
                    • memory/3644-30-0x0000000000000000-mapping.dmp
                    • memory/3712-41-0x0000000000000000-mapping.dmp
                    • memory/3800-46-0x0000000000000000-mapping.dmp
                    • memory/3816-34-0x0000000000000000-mapping.dmp
                    • memory/3860-13-0x0000000000000000-mapping.dmp
                    • memory/3948-39-0x0000000000000000-mapping.dmp
                    • memory/4152-42-0x0000000000000000-mapping.dmp
                    • memory/4196-15-0x0000000000000000-mapping.dmp
                    • memory/4200-14-0x0000000000000000-mapping.dmp
                    • memory/4204-45-0x0000000000000000-mapping.dmp
                    • memory/4204-63-0x0000000000000000-mapping.dmp
                    • memory/4220-54-0x0000000000000000-mapping.dmp
                    • memory/4292-50-0x0000000000000000-mapping.dmp
                    • memory/4308-11-0x0000000000000000-mapping.dmp
                    • memory/4348-16-0x0000000000000000-mapping.dmp
                    • memory/4456-48-0x0000000000000000-mapping.dmp
                    • memory/4460-26-0x0000000000000000-mapping.dmp
                    • memory/4468-51-0x0000000000000000-mapping.dmp
                    • memory/4528-61-0x0000000000000000-mapping.dmp
                    • memory/4552-28-0x0000000000000000-mapping.dmp
                    • memory/4624-29-0x0000000000000000-mapping.dmp
                    • memory/4680-35-0x0000000000000000-mapping.dmp
                    • memory/4736-32-0x0000000000000000-mapping.dmp
                    • memory/4748-66-0x0000000000000000-mapping.dmp
                    • memory/4752-31-0x0000000000000000-mapping.dmp
                    • memory/4764-0-0x00007FF9427B0000-0x00007FF94319C000-memory.dmp
                      Filesize

                      9.9MB

                    • memory/4764-1-0x00000000003E0000-0x00000000003E1000-memory.dmp
                      Filesize

                      4KB

                    • memory/5040-53-0x0000000000000000-mapping.dmp
                    • memory/5104-3-0x0000000000000000-mapping.dmp
                    • memory/5112-40-0x0000000000000000-mapping.dmp
                    • memory/5816-67-0x0000000000000000-mapping.dmp