hakbit | befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
31-01-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Size

256KB
MD5

070940acdcf608923d044edc79ba4121
SHA1

5b1d1de92d8b8163ac70281d6afa3113d0f86362
SHA256

befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
SHA512

41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180

Score

10^/10

hakbit ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 1 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ me+aDa9OmNfJAwWqxD6bWG1nyRs9DoaXekC4Mz4efke6v+Jy52Na4JpRGaz7WB3d33s6LSkfORtbxvzDt+zhFvlIg26Rp4kF02aJC7t+lODhK/Z2fhtfmbIqG9AiaBYcva4m3bsjiB6n+U12CEgGzIJgcJmwA/0V4DgQ1MbEraVQeYL+wo29tTLNdO7N5x6HSMDGl7m0xuW9Yn61qFHL90ftjeQ05TkmoiGoB4JuXzgWu6pokdQ8yGmWkrn0ENEmKKhw99btBjfV4RltmDlmDLpoqp5S3THkj3jSwu2SM3Pv4ng3wBGAl7/NuLrfNgYMID2duccgeuSXGuzoFAvl4w== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Emails

[email protected]

Wallets

1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ExportUnblock.png.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\ProtectEnable.png.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\SetMove.png.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe

Deletes itself 1 IoCs

pid	Process
1620	cmd.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2040	vssadmin.exe
204	vssadmin.exe
620	vssadmin.exe
1492	vssadmin.exe
1020	vssadmin.exe
1464	vssadmin.exe
1636	vssadmin.exe
1716	vssadmin.exe
1992	vssadmin.exe
1228	vssadmin.exe
1240	vssadmin.exe
1704	vssadmin.exe
1804	vssadmin.exe
1244	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1100	taskkill.exe
1768	taskkill.exe
1120	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
236	notepad.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeBackupPrivilege	1724	vssvc.exe
Token: SeRestorePrivilege	1724	vssvc.exe
Token: SeAuditPrivilege	1724	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 524	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	27
PID 1140 wrote to memory of 524	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	27
PID 1140 wrote to memory of 524	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	27
PID 524 wrote to memory of 928	524	net.exe	29
PID 524 wrote to memory of 928	524	net.exe	29
PID 524 wrote to memory of 928	524	net.exe	29
PID 1140 wrote to memory of 108	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	30
PID 1140 wrote to memory of 108	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	30
PID 1140 wrote to memory of 108	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	30
PID 108 wrote to memory of 1464	108	net.exe	32
PID 108 wrote to memory of 1464	108	net.exe	32
PID 108 wrote to memory of 1464	108	net.exe	32
PID 1140 wrote to memory of 516	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	33
PID 1140 wrote to memory of 516	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	33
PID 1140 wrote to memory of 516	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	33
PID 516 wrote to memory of 1192	516	net.exe	35
PID 516 wrote to memory of 1192	516	net.exe	35
PID 516 wrote to memory of 1192	516	net.exe	35
PID 1140 wrote to memory of 540	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	36
PID 1140 wrote to memory of 540	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	36
PID 1140 wrote to memory of 540	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	36
PID 540 wrote to memory of 1764	540	net.exe	38
PID 540 wrote to memory of 1764	540	net.exe	38
PID 540 wrote to memory of 1764	540	net.exe	38
PID 1140 wrote to memory of 1104	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	39
PID 1140 wrote to memory of 1104	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	39
PID 1140 wrote to memory of 1104	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	39
PID 1104 wrote to memory of 1804	1104	net.exe	41
PID 1104 wrote to memory of 1804	1104	net.exe	41
PID 1104 wrote to memory of 1804	1104	net.exe	41
PID 1140 wrote to memory of 1296	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	42
PID 1140 wrote to memory of 1296	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	42
PID 1140 wrote to memory of 1296	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	42
PID 1140 wrote to memory of 1076	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	45
PID 1140 wrote to memory of 1076	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	45
PID 1140 wrote to memory of 1076	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	45
PID 1140 wrote to memory of 1052	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	47
PID 1140 wrote to memory of 1052	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	47
PID 1140 wrote to memory of 1052	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	47
PID 1140 wrote to memory of 1540	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	49
PID 1140 wrote to memory of 1540	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	49
PID 1140 wrote to memory of 1540	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	49
PID 1140 wrote to memory of 1120	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	50
PID 1140 wrote to memory of 1120	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	50
PID 1140 wrote to memory of 1120	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	50
PID 1140 wrote to memory of 1100	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	53
PID 1140 wrote to memory of 1100	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	53
PID 1140 wrote to memory of 1100	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	53
PID 1140 wrote to memory of 1768	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	55
PID 1140 wrote to memory of 1768	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	55
PID 1140 wrote to memory of 1768	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	55
PID 1140 wrote to memory of 1716	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	57
PID 1140 wrote to memory of 1716	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	57
PID 1140 wrote to memory of 1716	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	57
PID 1140 wrote to memory of 1240	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	61
PID 1140 wrote to memory of 1240	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	61
PID 1140 wrote to memory of 1240	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	61
PID 1140 wrote to memory of 1992	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	63
PID 1140 wrote to memory of 1992	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	63
PID 1140 wrote to memory of 1992	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	63
PID 1140 wrote to memory of 2040	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	65
PID 1140 wrote to memory of 2040	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	65
PID 1140 wrote to memory of 2040	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	65
PID 1140 wrote to memory of 1492	1140	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	67

C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
"C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:928
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1464
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:1192
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:1764
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1804
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1296
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1076
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1052
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1540
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1716
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1240
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1992
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2040
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1492
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1704
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1020
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1228
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1464
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:204
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1636
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1804
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:620
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1244
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
  2⤵
  - Deletes itself
  PID:1620
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-55-0x0000000000C50000-0x0000000000C96000-memory.dmp

Filesize
280KB

Download
memory/1140-56-0x0000000002420000-0x000000001A8C0000-memory.dmp

Filesize
388.6MB

Download
memory/1140-57-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads