Overview

overview

10

Static

static

4984825fb2...le.exe

windows7_x64

10

4984825fb2...le.exe

windows10_x64

9

Analysis

  • max time kernel
    48s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe

  • Size

    423KB

  • MD5

    055c2fba242d03ae153be4a796c55ae2

  • SHA1

    be71b94e30d5465d8b72e1fc7c0137024f97baee

  • SHA256

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024

  • SHA512

    20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

Score
10/10
hakbitevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: daaaataaaaa@protonmail.com. Bitcoin wallet to make the transfer to is:1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ZB8esl2bqi2Bn1aS+inCS4R44bX4TdXLbrQ1QAgDqW2GKFbvdg/GcHe7BYRMtDzhFh4A0696Qictq7CSV7AZ9JlX+mAwmYF79yzLwuRgLleqiihzYKJC4zbaN1M+79AY/9BOBsi10qmHaRaUzCM/Ag3+FJQhZpEKtk4Uo/LPvf7YHKilUc/ZWH3OaYSY/jbVM4sKZoG6OUk8pBn0eZACxs0O0jxqNS/tR7AXgH8uuVLsf8Zi1UHzy9G0U8xcsSLBqXbXSajrgLp4xIEfkMxAJ6xLXbR6lht4T/f0mOCyi173K7ODmAa9n/ikwCAMOzSdRlexTyjdW7ATo+x+xUx2Sg== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 108
Emails

daaaataaaaa@protonmail.com

Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 3 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe"
    • Modifies extensions of user files
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\system32\net.exe
      "net.exe" stop avpsus /y
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
          PID:1612
      • C:\Windows\system32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
            PID:1876
        • C:\Windows\system32\net.exe
          "net.exe" stop mfewc /y
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
              PID:336
          • C:\Windows\system32\net.exe
            "net.exe" stop BMR Boot Service /y
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
                PID:1604
            • C:\Windows\system32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                  PID:528
              • C:\Windows\system32\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                  PID:1800
                • C:\Windows\system32\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                    PID:1680
                  • C:\Windows\system32\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                      PID:1676
                    • C:\Windows\system32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                        PID:668
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mspub.exe /F
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:876
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopqos.exe /F
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:568
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopservice.exe /F
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1476
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        • Interacts with shadow copies
                        PID:1772
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                        • Interacts with shadow copies
                        PID:696
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                        • Interacts with shadow copies
                        PID:1392
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:936
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1736
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1072
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1628
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:224
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1852
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1480
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1052
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1764
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:572
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        • Interacts with shadow copies
                        PID:208
                      • C:\Windows\System32\notepad.exe
                        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        • Opens file in notepad (likely ransom note)
                        PID:960
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
                        • Deletes itself
                        PID:1620
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                            PID:204
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1732

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Winlogon Helper DLL

                      1
                      T1004

                      Privilege Escalation

                      Defense Evasion

                      File Deletion

                      2
                      T1107

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Credentials in Files

                      1
                      T1081

                      Discovery

                      Query Registry

                      1
                      T1012

                      Peripheral Device Discovery

                      1
                      T1120

                      System Information Discovery

                      2
                      T1082

                      Lateral Movement

                      Collection

                      Data from Local System

                      1
                      T1005

                      Exfiltration

                      Command and Control

                      Impact

                      Inhibit System Recovery

                      2
                      T1490

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        MD5

                        8a23fe4b5999dd0c8e5bfee03a2fce51

                        SHA1

                        3ee09af68ea39f8e0ae4057ccc0ad5da7e75df1e

                        SHA256

                        68db550814d9b7f6b69f6f1b35f697d7cd2709397cdb0a26100f1fc628eba479

                        SHA512

                        801fe1987974b510d6a73590434bc11d2a5dcbe754d3ceeae439c4b39959b99a8fe7a9aba5a960dd2ee2e8d3a164d1c114bae974d8e96306a1fecd9ad54453f8

                        Download Submit
                      • memory/204-98-0x0000000000000000-mapping.dmp
                        Download
                      • memory/208-93-0x0000000000000000-mapping.dmp
                        Download
                      • memory/224-87-0x0000000000000000-mapping.dmp
                        Download
                      • memory/336-67-0x0000000000000000-mapping.dmp
                        Download
                      • memory/528-71-0x0000000000000000-mapping.dmp
                        Download
                      • memory/568-78-0x0000000000000000-mapping.dmp
                        Download
                      • memory/572-92-0x0000000000000000-mapping.dmp
                        Download
                      • memory/668-75-0x0000000000000000-mapping.dmp
                        Download
                      • memory/696-81-0x0000000000000000-mapping.dmp
                        Download
                      • memory/876-76-0x0000000000000000-mapping.dmp
                        Download
                      • memory/936-83-0x0000000000000000-mapping.dmp
                        Download
                      • memory/960-95-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/960-94-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1052-90-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1072-85-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1140-60-0x0000000000170000-0x0000000000171000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/1140-77-0x000000001AE10000-0x000000001AE12000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/1176-62-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1392-82-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1476-79-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1480-89-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1604-69-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1612-63-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1620-97-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1628-86-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1676-74-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1680-73-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1720-66-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1736-84-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1752-64-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1756-70-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1760-68-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1764-91-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1772-80-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1800-72-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1852-88-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1876-65-0x0000000000000000-mapping.dmp
                        Download