General

  • Target

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • Size

    199KB

  • Sample

    220131-23hwnsdcdp

  • MD5

    39c2a62f7024297c25f9a7b4157aba4c

  • SHA1

    30c5c20fbfbd60442b963109ab257ee1969f7f88

  • SHA256

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • SHA512

    502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ qaHFzfa6ELe2xl5OZYs2CMxo9OKKDQoPIVIVvZHmteoVipmv2mlzUF/G5Jve9aQ4/afebkdEU4OINi9BqaJHdi1ojwxkUqJ3lymlRMZ6ap7OsCStucoEy8QWNlofIF1Ks96WxXiIipnfRfCGmE2xJi7V7plpmzKhDcKLstJQELxvJq3ox44a1oZCZdCtASO7Jvmeu23GnKbZMiSsCgXDZ9CCsuhEqwTcA7exTFDq2pBCSEx8e5MFBpCX7n0FYChT8No2Rf55iWJA9a5VLVTE+xD2xWbbGiAcYBZWixaeIdehyinLybJCMeP4/2i9ibNRTnOOabRjyk4p3QkpVgW4iw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 2
Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ hzqjGuzQ7/r+2HJj6VC4GV/HaM45Q8DtOcIp2HiHxz4Njc9uX7v7K3Xgjp9oMms44DoGYh1Qy7FAEpyMMx6IOrRkEJ61nwkXSlhSc1GLmg5Lk0PdKsd9bbcrSlsTzv6b+bD1ZFcYgptdzKIp1Wb7kPDqPKE8uwhaWYU2pg5PNW9AAM3icPz4PFcpwBZI7G2B52cKa+yh32CPk5KWpKaZlaLjOaXe+4IzgCCbemnZ9+Zorn02SJuSL8w8/7LsCCc+mrfU922L135ikrdnS7hht1EngyuM6zClwlzL/68rZZg8KIA70haa3d3PkEwo401sVSZSgl9wbw0fkzBTJv9l/Q== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 4
Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Targets

    • Target

      9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

    • Size

      199KB

    • MD5

      39c2a62f7024297c25f9a7b4157aba4c

    • SHA1

      30c5c20fbfbd60442b963109ab257ee1969f7f88

    • SHA256

      9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

    • SHA512

      502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Tasks