General
-
Target
file000_spoolcv.exe
-
Size
400KB
-
Sample
211115-sbkrhsaff3
-
MD5
e6688d5a1565053e114263a98daca7de
-
SHA1
eb9c95ee5c0835406e27478099020ac1eee2c479
-
SHA256
f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89
-
SHA512
c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db
Static task
static1
Behavioral task
behavioral1
Sample
file000_spoolcv.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
file000_spoolcv.exe
Resource
win10-en-20211014
Malware Config
Extracted
Path |
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt |
Family |
hakbit |
Ransom Note | Atention! all your important files were encrypted! to get your files back send 300 USD worth in Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: hakbit@protonmail.com. Bitcoin wallet to make the transfer to is: 12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW Unique Identifier Key (must be sent to us together with proof of payment): EAAAADszq34tWBb5b8Zy07RLXzeTqUaKAScgC0IqupZihirEc8LRbGcK+nlUKcxV391MzaYXaYeevF0WuZxv8Urf4jY= Number of files that you could have potentially lost forever can be as high as: 1980 |
Emails |
hakbit@protonmail.com |
Wallets |
12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW |
Extracted
Path |
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt |
Family |
hakbit |
Ransom Note | Atention! all your important files were encrypted! to get your files back send 300 USD worth in Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: hakbit@protonmail.com. Bitcoin wallet to make the transfer to is: 12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW Unique Identifier Key (must be sent to us together with proof of payment): EAAAAKI6o1Qm8flb3HsSD9levNJEW/JLGqWhvsjQfNlqLkJZZghA00LKDEHPaZZWhhiM1xkP8ShkDNLb1ZGG5QAqsDo= Number of files that you could have potentially lost forever can be as high as: 9426 |
Emails |
hakbit@protonmail.com |
Wallets |
12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW |
Targets
-
-
Target
file000_spoolcv.exe
-
Size
400KB
-
MD5
e6688d5a1565053e114263a98daca7de
-
SHA1
eb9c95ee5c0835406e27478099020ac1eee2c479
-
SHA256
f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89
-
SHA512
c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Drops startup file
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation