Overview

overview

10

Static

static

9784148014...c2.exe

windows7_x64

10

9784148014...c2.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • Size

    199KB

  • Sample

    220131-23hwnsdcdp

  • MD5

    39c2a62f7024297c25f9a7b4157aba4c

  • SHA1

    30c5c20fbfbd60442b963109ab257ee1969f7f88

  • SHA256

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • SHA512

    502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Score
10/10
hakbitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: servo99@protonmail.com. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ qaHFzfa6ELe2xl5OZYs2CMxo9OKKDQoPIVIVvZHmteoVipmv2mlzUF/G5Jve9aQ4/afebkdEU4OINi9BqaJHdi1ojwxkUqJ3lymlRMZ6ap7OsCStucoEy8QWNlofIF1Ks96WxXiIipnfRfCGmE2xJi7V7plpmzKhDcKLstJQELxvJq3ox44a1oZCZdCtASO7Jvmeu23GnKbZMiSsCgXDZ9CCsuhEqwTcA7exTFDq2pBCSEx8e5MFBpCX7n0FYChT8No2Rf55iWJA9a5VLVTE+xD2xWbbGiAcYBZWixaeIdehyinLybJCMeP4/2i9ibNRTnOOabRjyk4p3QkpVgW4iw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 2
Emails

servo99@protonmail.com

Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: servo99@protonmail.com. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ hzqjGuzQ7/r+2HJj6VC4GV/HaM45Q8DtOcIp2HiHxz4Njc9uX7v7K3Xgjp9oMms44DoGYh1Qy7FAEpyMMx6IOrRkEJ61nwkXSlhSc1GLmg5Lk0PdKsd9bbcrSlsTzv6b+bD1ZFcYgptdzKIp1Wb7kPDqPKE8uwhaWYU2pg5PNW9AAM3icPz4PFcpwBZI7G2B52cKa+yh32CPk5KWpKaZlaLjOaXe+4IzgCCbemnZ9+Zorn02SJuSL8w8/7LsCCc+mrfU922L135ikrdnS7hht1EngyuM6zClwlzL/68rZZg8KIA70haa3d3PkEwo401sVSZSgl9wbw0fkzBTJv9l/Q== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 4
Emails

servo99@protonmail.com

Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Targets

    • Target

      9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

    • Size

      199KB

    • MD5

      39c2a62f7024297c25f9a7b4157aba4c

    • SHA1

      30c5c20fbfbd60442b963109ab257ee1969f7f88

    • SHA256

      9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

    • SHA512

      502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

    Score
    10/10
    hakbitransomwarepersistence

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks