Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
15-11-2021 14:57
Static task
static1
Behavioral task
behavioral1
Sample
file000_spoolcv.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
file000_spoolcv.exe
Resource
win10-en-20211014
General
-
Target
file000_spoolcv.exe
-
Size
400KB
-
MD5
e6688d5a1565053e114263a98daca7de
-
SHA1
eb9c95ee5c0835406e27478099020ac1eee2c479
-
SHA256
f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89
-
SHA512
c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
hakbit@protonmail.com
12grtxACJZkgT2nGAvMesgoM4ADHJ6NTaW
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe disable_win_def C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe disable_win_def -
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
mysqld.exepid process 932 mysqld.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
mysqld.exedescription ioc process File created C:\Users\Admin\Pictures\SelectRead.png.crypted mysqld.exe File created C:\Users\Admin\Pictures\PopReceive.tiff.crypted mysqld.exe File opened for modification C:\Users\Admin\Pictures\PopReceive.tiff mysqld.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1340 cmd.exe -
Drops startup file 2 IoCs
Processes:
file000_spoolcv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe file000_spoolcv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe file000_spoolcv.exe -
Drops file in Program Files directory 64 IoCs
Processes:
mysqld.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png.crypted mysqld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png mysqld.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.crypted mysqld.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png mysqld.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png mysqld.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png.crypted mysqld.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\HELP_ME_RECOVER_MY_FILES.txt mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\HELP_ME_RECOVER_MY_FILES.txt mysqld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif mysqld.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif.crypted mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png.crypted mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png.crypted mysqld.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif mysqld.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg.crypted mysqld.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif.crypted mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg.crypted mysqld.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.crypted mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\HELP_ME_RECOVER_MY_FILES.txt mysqld.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif mysqld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif mysqld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif.crypted mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png.crypted mysqld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html mysqld.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html.crypted mysqld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_italic.gif mysqld.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.crypted mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png.crypted mysqld.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png mysqld.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html mysqld.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.crypted mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.crypted mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png mysqld.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png.crypted mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png.crypted mysqld.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif.crypted mysqld.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.crypted mysqld.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png mysqld.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png.crypted mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HELP_ME_RECOVER_MY_FILES.txt mysqld.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png mysqld.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.crypted mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png mysqld.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png mysqld.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip.crypted mysqld.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt mysqld.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png.crypted mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png mysqld.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.crypted mysqld.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.crypted mysqld.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png mysqld.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png mysqld.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png.crypted mysqld.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi mysqld.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png mysqld.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png mysqld.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg.crypted mysqld.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 540 vssadmin.exe -
Processes:
mysqld.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 mysqld.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde mysqld.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1036 notepad.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
file000_spoolcv.exemysqld.exevssvc.exedescription pid process Token: SeDebugPrivilege 1588 file000_spoolcv.exe Token: SeDebugPrivilege 932 mysqld.exe Token: SeBackupPrivilege 1548 vssvc.exe Token: SeRestorePrivilege 1548 vssvc.exe Token: SeAuditPrivilege 1548 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
file000_spoolcv.exemysqld.execmd.execmd.exedescription pid process target process PID 1588 wrote to memory of 932 1588 file000_spoolcv.exe mysqld.exe PID 1588 wrote to memory of 932 1588 file000_spoolcv.exe mysqld.exe PID 1588 wrote to memory of 932 1588 file000_spoolcv.exe mysqld.exe PID 1588 wrote to memory of 1340 1588 file000_spoolcv.exe cmd.exe PID 1588 wrote to memory of 1340 1588 file000_spoolcv.exe cmd.exe PID 1588 wrote to memory of 1340 1588 file000_spoolcv.exe cmd.exe PID 932 wrote to memory of 540 932 mysqld.exe vssadmin.exe PID 932 wrote to memory of 540 932 mysqld.exe vssadmin.exe PID 932 wrote to memory of 540 932 mysqld.exe vssadmin.exe PID 1340 wrote to memory of 1064 1340 cmd.exe choice.exe PID 1340 wrote to memory of 1064 1340 cmd.exe choice.exe PID 1340 wrote to memory of 1064 1340 cmd.exe choice.exe PID 932 wrote to memory of 1036 932 mysqld.exe notepad.exe PID 932 wrote to memory of 1036 932 mysqld.exe notepad.exe PID 932 wrote to memory of 1036 932 mysqld.exe notepad.exe PID 932 wrote to memory of 1708 932 mysqld.exe cmd.exe PID 932 wrote to memory of 1708 932 mysqld.exe cmd.exe PID 932 wrote to memory of 1708 932 mysqld.exe cmd.exe PID 1708 wrote to memory of 432 1708 cmd.exe choice.exe PID 1708 wrote to memory of 432 1708 cmd.exe choice.exe PID 1708 wrote to memory of 432 1708 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file000_spoolcv.exe"C:\Users\Admin\AppData\Local\Temp\file000_spoolcv.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"vssadmin" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\file000_spoolcv.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exeMD5
e6688d5a1565053e114263a98daca7de
SHA1eb9c95ee5c0835406e27478099020ac1eee2c479
SHA256f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89
SHA512c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysqld.exeMD5
e6688d5a1565053e114263a98daca7de
SHA1eb9c95ee5c0835406e27478099020ac1eee2c479
SHA256f4dbc868579e467f9e05766f67497ae6d8f4b3be91165d40df4a18ec912e5e89
SHA512c152cf41b58017466823e3d329265fb0dcf82fde8751587799d678ae46ab3745190d1e3686ecb97106abbd0990786eea90afe70b6ee10951b209f1e00583b9db
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtMD5
1cb6536a08f7a8e6a76db6f9a2ff04c2
SHA1ac20877b6224e4fab16d45af3a2fe4225acdc99d
SHA256cbcdb8a6b60c02ed4c0e8a9085f16f77b441271b2a588d0fdfe8a41866b43801
SHA512a49f4e60d55ba864f79360d9bde84d3086de0dea336e5a2560ed719f45318b44cb78c9a739b44359719e20282d0f160086c9e8aa75c9885b964f85c539d3fb16
-
memory/432-70-0x0000000000000000-mapping.dmp
-
memory/540-64-0x0000000000000000-mapping.dmp
-
memory/932-66-0x000000001AF50000-0x000000001AF52000-memory.dmpFilesize
8KB
-
memory/932-61-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/932-58-0x0000000000000000-mapping.dmp
-
memory/1036-67-0x0000000000000000-mapping.dmp
-
memory/1064-65-0x0000000000000000-mapping.dmp
-
memory/1340-63-0x0000000000000000-mapping.dmp
-
memory/1588-55-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1588-57-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmpFilesize
8KB
-
memory/1708-69-0x0000000000000000-mapping.dmp