Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 23:05

General

  • Target

    befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe

  • Size

    256KB

  • MD5

    070940acdcf608923d044edc79ba4121

  • SHA1

    5b1d1de92d8b8163ac70281d6afa3113d0f86362

  • SHA256

    befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

  • SHA512

    41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 1 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: zoula50@protonmail.com. Bitcoin wallet to make the transfer to is: 1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Dt6vG8qQcMWdgEueBM7AfDdoUEbwefKWi0F6Ot5Atd3g8LxCGEJQPJvb5yIHO9peq1slR/Qhf9CztRDZTbfol4b3uWoM3/XznS+wbEE+50BQDgy9xyMx0IjGFHRg51eFYOM5P8+NcewhVwu3es5A0LLdPjepV1FVfJpUmdeXWWgXo6g6QQtzbaJ39ajk/V0tVH+qZ95QAeKGVk5AgQjLBuv6jssKrqdxMTvpp6NNeNeGgMFqdbCGPiOgHLdY4L3JYu9BEPjX/hL+qtclYIIicZG8efXWOmOgfBsprMfFFT1O/TQ7ocKXCNLoS8psBhFPA+sce+YrFwPbuhHB4AIYkA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

zoula50@protonmail.com

Wallets

1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets service image path in registry 2 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
    "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SYSTEM32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:1816
      • C:\Windows\SYSTEM32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:3592
        • C:\Windows\SYSTEM32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:3528
          • C:\Windows\SYSTEM32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:4056
            • C:\Windows\SYSTEM32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3688
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:2872
              • C:\Windows\SYSTEM32\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:2808
                • C:\Windows\SYSTEM32\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:3740
                  • C:\Windows\SYSTEM32\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                    2⤵
                      PID:1904
                    • C:\Windows\SYSTEM32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:3516
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /IM mspub.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1544
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /IM mydesktopqos.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1940
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /IM mydesktopservice.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1772
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:1688
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                        2⤵
                        • Interacts with shadow copies
                        PID:2944
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                        2⤵
                        • Interacts with shadow copies
                        PID:1316
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:3616
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:3360
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1952
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2540
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1532
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:3432
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:552
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2992
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:3876
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2508
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:2600
                      • C:\Windows\System32\notepad.exe
                        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                        2⤵
                        • Opens file in notepad (likely ransom note)
                        PID:3956
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
                        2⤵
                          PID:1532
                          • C:\Windows\system32\choice.exe
                            choice /C Y /N /D Y /T 3
                            3⤵
                              PID:1316
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3464
                        • C:\Windows\System32\WaaSMedicAgent.exe
                          C:\Windows\System32\WaaSMedicAgent.exe 5b5fec777df30a008dec35087d2b3422 vadgS/xhVESohyLQi8mm+A.0.1.0.0.0
                          1⤵
                          • Modifies data under HKEY_USERS
                          PID:3596

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Persistence

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Defense Evasion

                        File Deletion

                        2
                        T1107

                        Modify Registry

                        1
                        T1112

                        Discovery

                        Query Registry

                        2
                        T1012

                        System Information Discovery

                        3
                        T1082

                        Peripheral Device Discovery

                        1
                        T1120

                        Impact

                        Inhibit System Recovery

                        2
                        T1490

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                          MD5

                          3a59afa0aa37538a33311926830fe0cb

                          SHA1

                          359cc8ee4bcbf8499a5227b081206acc3d87b453

                          SHA256

                          7416f2e932e0b94d506f15d304739b2c264d08f1f34ce5bce52408493d51fca1

                          SHA512

                          46af7fc17469e66eef65ec02a8afeb772c301e52b061d9773b333b35dba7f2baf695d767668a3875223c1f02c8d9ac403fbb443a5db9b1ed5a8d583f0b023c15

                        • memory/1356-130-0x00000000002C0000-0x0000000000306000-memory.dmp
                          Filesize

                          280KB

                        • memory/1356-131-0x0000000002570000-0x0000000002572000-memory.dmp
                          Filesize

                          8KB