Analysis

  • max time kernel
    75s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 12:58

General

  • Target

    81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe

  • Size

    416KB

  • MD5

    21fa6ebdd397f14bbb68a4e3d012467e

  • SHA1

    0ecff2f818565e7eb28d3a7b7d295459a868e920

  • SHA256

    81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e

  • SHA512

    368e0c8e973f2cf655ea8a69be07b29bc073b2855f6feb9130f5fa8569cfa8d094549ec5d7706c293f8b22ae8bb6ee1b7dd2f4c2d2ccff94e7435e36d966bf66

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: clearcuMc04997@gmail.com. Bitcoin wallet to make the transfer to is: 1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ E65AYAK6mjLjNU1PFnH5I2lcWyH7+Uam5gRz5U+/MAa9cu65qn0LA0i7EgjzTYP/hAvrvX8FQXy/JHcfFQOQCHIZVwxuvVBuqfStGZwOjG7FPVnfwYtbPExBtHXJSx+Vvji+sFeJ65jQGn/ah/CsSqtAa2YYDsUCRsxdAHm0gJXRGjLzqfLOSyOl15ebDW5C8WyBIfCxnH6jC0nAPYqfNzr81N4IplZyZu1xxrUpO7XDM1h5C5zJ/1LYeMVsFwSPFU8wyp6HzRwd6d3sLR2E2qq6xLvfFE8jzDp2Xxh1w1TPMXyR/mUYPuX9/PAVbMVH56JkGsTEnBwKMam8l9vuyA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 116
Emails

clearcuMc04997@gmail.com

Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\system32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:1620
      • C:\Windows\system32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:1080
        • C:\Windows\system32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1144
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:1368
          • C:\Windows\system32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:380
            • C:\Windows\system32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:824
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:976
              • C:\Windows\system32\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:1860
                • C:\Windows\system32\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:1200
                  • C:\Windows\system32\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                    2⤵
                      PID:856
                    • C:\Windows\system32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:688
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mspub.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1500
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopqos.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1684
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopservice.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:828
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:1760
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                        2⤵
                        • Interacts with shadow copies
                        PID:1616
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                        2⤵
                        • Interacts with shadow copies
                        PID:1848
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:300
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1816
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1800
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:620
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1744
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1764
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:232
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1336
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1780
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:884
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:944
                      • C:\Windows\System32\notepad.exe
                        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        2⤵
                        • Opens file in notepad (likely ransom note)
                        PID:1328
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e.sample.exe
                        2⤵
                        • Deletes itself
                        PID:220
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          3⤵
                            PID:1748
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1272

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Persistence

                      Modify Existing Service

                      1
                      T1031

                      Defense Evasion

                      Modify Registry

                      2
                      T1112

                      Disabling Security Tools

                      2
                      T1089

                      File Deletion

                      2
                      T1107

                      Credential Access

                      Credentials in Files

                      1
                      T1081

                      Discovery

                      Query Registry

                      1
                      T1012

                      Peripheral Device Discovery

                      1
                      T1120

                      System Information Discovery

                      2
                      T1082

                      Collection

                      Data from Local System

                      1
                      T1005

                      Impact

                      Inhibit System Recovery

                      2
                      T1490

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        MD5

                        3acea3606822b35ed566777738b99833

                        SHA1

                        c83c15fcd3a32b475849ad2a144b4efb55dc5116

                        SHA256

                        a2d0fd7c97f89fb8e13c92cda7d38d6a37ef9493de7c6ef138922e4f7a27152a

                        SHA512

                        2fe7415f2d3820efec54fd80bcf26019717aa74d842fbadce82033025784b510e2f0f93c1c9a9a47c4bf106e967ceb0f19322206617c0bce8d474fdd3184fa19

                      • memory/220-120-0x0000000000000000-mapping.dmp
                      • memory/232-114-0x0000000000000000-mapping.dmp
                      • memory/300-108-0x0000000000000000-mapping.dmp
                      • memory/380-95-0x0000000000000000-mapping.dmp
                      • memory/428-88-0x0000000000000000-mapping.dmp
                      • memory/620-111-0x0000000000000000-mapping.dmp
                      • memory/688-101-0x0000000000000000-mapping.dmp
                      • memory/824-96-0x0000000000000000-mapping.dmp
                      • memory/828-104-0x0000000000000000-mapping.dmp
                      • memory/856-100-0x0000000000000000-mapping.dmp
                      • memory/884-117-0x0000000000000000-mapping.dmp
                      • memory/944-118-0x0000000000000000-mapping.dmp
                      • memory/976-97-0x0000000000000000-mapping.dmp
                      • memory/1080-91-0x0000000000000000-mapping.dmp
                      • memory/1084-94-0x0000000000000000-mapping.dmp
                      • memory/1088-90-0x0000000000000000-mapping.dmp
                      • memory/1144-92-0x0000000000000000-mapping.dmp
                      • memory/1200-99-0x0000000000000000-mapping.dmp
                      • memory/1328-119-0x0000000000000000-mapping.dmp
                      • memory/1336-115-0x0000000000000000-mapping.dmp
                      • memory/1368-93-0x0000000000000000-mapping.dmp
                      • memory/1500-102-0x0000000000000000-mapping.dmp
                      • memory/1616-106-0x0000000000000000-mapping.dmp
                      • memory/1620-89-0x0000000000000000-mapping.dmp
                      • memory/1684-103-0x0000000000000000-mapping.dmp
                      • memory/1744-112-0x0000000000000000-mapping.dmp
                      • memory/1748-123-0x0000000000000000-mapping.dmp
                      • memory/1752-74-0x000000001A9A0000-0x000000001A9A1000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-71-0x0000000002750000-0x0000000002751000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-69-0x000000001A9F4000-0x000000001A9F6000-memory.dmp
                        Filesize

                        8KB

                      • memory/1752-87-0x000000001B460000-0x000000001B461000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-70-0x0000000002500000-0x0000000002501000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-66-0x0000000002300000-0x0000000002301000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-65-0x000000001AA70000-0x000000001AA71000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-68-0x000000001A9F0000-0x000000001A9F2000-memory.dmp
                        Filesize

                        8KB

                      • memory/1752-64-0x0000000002420000-0x0000000002421000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-63-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
                        Filesize

                        8KB

                      • memory/1752-86-0x000000001B450000-0x000000001B451000-memory.dmp
                        Filesize

                        4KB

                      • memory/1752-62-0x0000000000000000-mapping.dmp
                      • memory/1760-105-0x0000000000000000-mapping.dmp
                      • memory/1764-113-0x0000000000000000-mapping.dmp
                      • memory/1780-116-0x0000000000000000-mapping.dmp
                      • memory/1800-110-0x0000000000000000-mapping.dmp
                      • memory/1816-109-0x0000000000000000-mapping.dmp
                      • memory/1848-107-0x0000000000000000-mapping.dmp
                      • memory/1860-98-0x0000000000000000-mapping.dmp
                      • memory/2004-60-0x0000000001260000-0x0000000001261000-memory.dmp
                        Filesize

                        4KB

                      • memory/2004-67-0x000000001AC10000-0x000000001AC12000-memory.dmp
                        Filesize

                        8KB