General

  • Target

    file000_spoolcv.exe

  • Size

    400KB

  • Sample

    211115-sbkrhsaff3

  • MD5

    e6688d5a1565053e114263a98daca7de

  • SHA1

    eb9c95ee5c0835406e27478099020ac1eee2c479

  • SHA256

    f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89

  • SHA512

    c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note Atention! all your important files were encrypted! to get your files back send 300 USD worth in Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: hakbit@protonmail.com. Bitcoin wallet to make the transfer to is: 12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW Unique Identifier Key (must be sent to us together with proof of payment): EAAAADszq34tWBb5b8Zy07RLXzeTqUaKAScgC0IqupZihirEc8LRbGcK+nlUKcxV391MzaYXaYeevF0WuZxv8Urf4jY= Number of files that you could have potentially lost forever can be as high as: 1980
Emails

hakbit@protonmail.com

Wallets

12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note Atention! all your important files were encrypted! to get your files back send 300 USD worth in Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: hakbit@protonmail.com. Bitcoin wallet to make the transfer to is: 12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW Unique Identifier Key (must be sent to us together with proof of payment): EAAAAKI6o1Qm8flb3HsSD9levNJEW/JLGqWhvsjQfNlqLkJZZghA00LKDEHPaZZWhhiM1xkP8ShkDNLb1ZGG5QAqsDo= Number of files that you could have potentially lost forever can be as high as: 9426
Emails

hakbit@protonmail.com

Wallets

12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW

Targets

    • Target

      file000_spoolcv.exe

    • Size

      400KB

    • MD5

      e6688d5a1565053e114263a98daca7de

    • SHA1

      eb9c95ee5c0835406e27478099020ac1eee2c479

    • SHA256

      f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89

    • SHA512

      c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db

    Score
    10/10
    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Drops startup file

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks