Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 23:05
Static task
static1
Behavioral task
behavioral1
Sample
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Resource
win10v2004-en-20220112
General
-
Target
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
-
Size
256KB
-
MD5
070940acdcf608923d044edc79ba4121
-
SHA1
5b1d1de92d8b8163ac70281d6afa3113d0f86362
-
SHA256
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
-
SHA512
41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
zoula50@protonmail.com
1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exedescription ioc process File created C:\Users\Admin\Pictures\ExportUnblock.png.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\ProtectEnable.png.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\SetMove.png.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1620 cmd.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2040 vssadmin.exe 204 vssadmin.exe 620 vssadmin.exe 1492 vssadmin.exe 1020 vssadmin.exe 1464 vssadmin.exe 1636 vssadmin.exe 1716 vssadmin.exe 1992 vssadmin.exe 1228 vssadmin.exe 1240 vssadmin.exe 1704 vssadmin.exe 1804 vssadmin.exe 1244 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1100 taskkill.exe 1768 taskkill.exe 1120 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 236 notepad.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe Token: SeBackupPrivilege 1724 vssvc.exe Token: SeRestorePrivilege 1724 vssvc.exe Token: SeAuditPrivilege 1724 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1140 wrote to memory of 524 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 524 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 524 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 524 wrote to memory of 928 524 net.exe net1.exe PID 524 wrote to memory of 928 524 net.exe net1.exe PID 524 wrote to memory of 928 524 net.exe net1.exe PID 1140 wrote to memory of 108 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 108 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 108 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 108 wrote to memory of 1464 108 net.exe net1.exe PID 108 wrote to memory of 1464 108 net.exe net1.exe PID 108 wrote to memory of 1464 108 net.exe net1.exe PID 1140 wrote to memory of 516 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 516 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 516 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 516 wrote to memory of 1192 516 net.exe net1.exe PID 516 wrote to memory of 1192 516 net.exe net1.exe PID 516 wrote to memory of 1192 516 net.exe net1.exe PID 1140 wrote to memory of 540 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 540 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 540 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 540 wrote to memory of 1764 540 net.exe net1.exe PID 540 wrote to memory of 1764 540 net.exe net1.exe PID 540 wrote to memory of 1764 540 net.exe net1.exe PID 1140 wrote to memory of 1104 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 1104 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1140 wrote to memory of 1104 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1104 wrote to memory of 1804 1104 net.exe net1.exe PID 1104 wrote to memory of 1804 1104 net.exe net1.exe PID 1104 wrote to memory of 1804 1104 net.exe net1.exe PID 1140 wrote to memory of 1296 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1296 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1296 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1076 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1076 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1076 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1052 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1052 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1052 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1540 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1540 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1540 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1140 wrote to memory of 1120 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1120 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1120 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1100 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1100 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1100 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1768 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1768 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1768 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1140 wrote to memory of 1716 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1716 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1716 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1240 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1240 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1240 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1992 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1992 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1992 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 2040 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 2040 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 2040 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1140 wrote to memory of 1492 1140 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"1⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe2⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtMD5
cefb01ffb094a704b2e6e15e84b2a6f9
SHA1c7985db0ec4231e0432d593cf66fd34ba8d914ea
SHA256e930c6bbfc370b549e584dd1e9237dbe89220d2c01bcf03d297ef7d1dd8502a9
SHA5129609f1eed8b660ea93637503ca34aabd995f195af026d714d3010f79cb8c1cdd57aaf641b3a7d6ddffa6f4e74adb4e2601fe84764970373efd31cdf25ceb2aa5
-
memory/1140-55-0x0000000000C50000-0x0000000000C96000-memory.dmpFilesize
280KB
-
memory/1140-56-0x0000000002420000-0x000000001A8C0000-memory.dmpFilesize
388.6MB
-
memory/1140-57-0x000007FEFC151000-0x000007FEFC153000-memory.dmpFilesize
8KB