Malware sandboxing report by Hatching Triage

General

Target

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample
Size

416KB
Sample

210726-dkhgywvv6j
MD5

21fa6ebdd397f14bbb68a4e3d012467e
SHA1

0ecff2f818565e7eb28d3a7b7d295459a868e920
SHA256

81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
SHA512

368e0c8e973f2cf655ea8a69be07b29bc073b2855f6feb9130f5fa8569cfa8d094549ec5d7706c293f8b22ae8bb6ee1b7dd2f4c2d2ccff94e7435e36d966bf66

Score

10^/10

Malware Config

Extracted

Path	C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
Family	hakbit
Ransom Note	Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: clearcuMc04997@gmail.com. Bitcoin wallet to make the transfer to is: 1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ E65AYAK6mjLjNU1PFnH5I2lcWyH7+Uam5gRz5U+/MAa9cu65qn0LA0i7EgjzTYP/hAvrvX8FQXy/JHcfFQOQCHIZVwxuvVBuqfStGZwOjG7FPVnfwYtbPExBtHXJSx+Vvji+sFeJ65jQGn/ah/CsSqtAa2YYDsUCRsxdAHm0gJXRGjLzqfLOSyOl15ebDW5C8WyBIfCxnH6jC0nAPYqfNzr81N4IplZyZu1xxrUpO7XDM1h5C5zJ/1LYeMVsFwSPFU8wyp6HzRwd6d3sLR2E2qq6xLvfFE8jzDp2Xxh1w1TPMXyR/mUYPuX9/PAVbMVH56JkGsTEnBwKMam8l9vuyA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 116
Emails	clearcuMc04997@gmail.com clearcuMc04997@gmail.com
Wallets	1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Targets

- Target
  
  81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample
- Size
  
  416KB
- MD5
  
  21fa6ebdd397f14bbb68a4e3d012467e
- SHA1
  
  0ecff2f818565e7eb28d3a7b7d295459a868e920
- SHA256
  
  81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
- SHA512
  
  368e0c8e973f2cf655ea8a69be07b29bc073b2855f6feb9130f5fa8569cfa8d094549ec5d7706c293f8b22ae8bb6ee1b7dd2f4c2d2ccff94e7435e36d966bf66
Score

10^/10

hakbit evasion ransomware spyware stealer trojan
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Inhibit System Recovery

Initial Access

Lateral Movement

Persistence

Modify Existing Service

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Hakbit

Modifies Windows Defender Real-time Protection settings

Deletes shadow copies

Disables Task Manager via registry modification

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Windows security modification

Enumerates connected drives

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2