Overview

overview

10

Static

static

10

file000_spoolcv.exe

windows7_x64

10

file000_spoolcv.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file000_spoolcv.exe

  • Size

    400KB

  • Sample

    211115-sbkrhsaff3

  • MD5

    e6688d5a1565053e114263a98daca7de

  • SHA1

    eb9c95ee5c0835406e27478099020ac1eee2c479

  • SHA256

    f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89

  • SHA512

    c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db

Score
10/10
hakbitransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 300 USD worth in Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: hakbit@protonmail.com. Bitcoin wallet to make the transfer to is: 12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW Unique Identifier Key (must be sent to us together with proof of payment): EAAAADszq34tWBb5b8Zy07RLXzeTqUaKAScgC0IqupZihirEc8LRbGcK+nlUKcxV391MzaYXaYeevF0WuZxv8Urf4jY= Number of files that you could have potentially lost forever can be as high as: 1980
Emails

hakbit@protonmail.com

Wallets

12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 300 USD worth in Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: hakbit@protonmail.com. Bitcoin wallet to make the transfer to is: 12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW Unique Identifier Key (must be sent to us together with proof of payment): EAAAAKI6o1Qm8flb3HsSD9levNJEW/JLGqWhvsjQfNlqLkJZZghA00LKDEHPaZZWhhiM1xkP8ShkDNLb1ZGG5QAqsDo= Number of files that you could have potentially lost forever can be as high as: 9426
Emails

hakbit@protonmail.com

Wallets

12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW

Targets

    • Target

      file000_spoolcv.exe

    • Size

      400KB

    • MD5

      e6688d5a1565053e114263a98daca7de

    • SHA1

      eb9c95ee5c0835406e27478099020ac1eee2c479

    • SHA256

      f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89

    • SHA512

      c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db

    Score
    10/10
    hakbitransomware

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks