Overview

overview

10

Static

static

befc6ff8c6...15.exe

windows7_x64

10

befc6ff8c6...15.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

  • Size

    256KB

  • Sample

    220131-224rradcdl

  • MD5

    070940acdcf608923d044edc79ba4121

  • SHA1

    5b1d1de92d8b8163ac70281d6afa3113d0f86362

  • SHA256

    befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

  • SHA512

    41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180

Score
10/10
hakbitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 1 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: zoula50@protonmail.com. Bitcoin wallet to make the transfer to is: 1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ me+aDa9OmNfJAwWqxD6bWG1nyRs9DoaXekC4Mz4efke6v+Jy52Na4JpRGaz7WB3d33s6LSkfORtbxvzDt+zhFvlIg26Rp4kF02aJC7t+lODhK/Z2fhtfmbIqG9AiaBYcva4m3bsjiB6n+U12CEgGzIJgcJmwA/0V4DgQ1MbEraVQeYL+wo29tTLNdO7N5x6HSMDGl7m0xuW9Yn61qFHL90ftjeQ05TkmoiGoB4JuXzgWu6pokdQ8yGmWkrn0ENEmKKhw99btBjfV4RltmDlmDLpoqp5S3THkj3jSwu2SM3Pv4ng3wBGAl7/NuLrfNgYMID2duccgeuSXGuzoFAvl4w== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

zoula50@protonmail.com

Wallets

1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 1 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: zoula50@protonmail.com. Bitcoin wallet to make the transfer to is: 1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Dt6vG8qQcMWdgEueBM7AfDdoUEbwefKWi0F6Ot5Atd3g8LxCGEJQPJvb5yIHO9peq1slR/Qhf9CztRDZTbfol4b3uWoM3/XznS+wbEE+50BQDgy9xyMx0IjGFHRg51eFYOM5P8+NcewhVwu3es5A0LLdPjepV1FVfJpUmdeXWWgXo6g6QQtzbaJ39ajk/V0tVH+qZ95QAeKGVk5AgQjLBuv6jssKrqdxMTvpp6NNeNeGgMFqdbCGPiOgHLdY4L3JYu9BEPjX/hL+qtclYIIicZG8efXWOmOgfBsprMfFFT1O/TQ7ocKXCNLoS8psBhFPA+sce+YrFwPbuhHB4AIYkA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

zoula50@protonmail.com

Wallets

1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT

Targets

    • Target

      befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

    • Size

      256KB

    • MD5

      070940acdcf608923d044edc79ba4121

    • SHA1

      5b1d1de92d8b8163ac70281d6afa3113d0f86362

    • SHA256

      befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

    • SHA512

      41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180

    Score
    10/10
    hakbitransomwarepersistence

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks