Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 23:06
Static task
static1
Behavioral task
behavioral1
Sample
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Resource
win10v2004-en-20220112
General
-
Target
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
-
Size
199KB
-
MD5
39c2a62f7024297c25f9a7b4157aba4c
-
SHA1
30c5c20fbfbd60442b963109ab257ee1969f7f88
-
SHA256
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
-
SHA512
502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 480 cmd.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exedescription pid process target process PID 1536 set thread context of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1536 vssadmin.exe 1156 vssadmin.exe 992 vssadmin.exe 1564 vssadmin.exe 1364 vssadmin.exe 612 vssadmin.exe 1760 vssadmin.exe 1652 vssadmin.exe 1040 vssadmin.exe 816 vssadmin.exe 1324 vssadmin.exe 1732 vssadmin.exe 1056 vssadmin.exe 1532 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1468 taskkill.exe 1380 taskkill.exe 2028 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1612 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exepid process 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe Token: SeDebugPrivilege 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe Token: SeDebugPrivilege 1468 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1536 wrote to memory of 696 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 696 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 696 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 696 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1536 wrote to memory of 1480 1536 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe PID 1480 wrote to memory of 1832 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1832 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1832 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1832 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1832 wrote to memory of 1148 1832 net.exe net1.exe PID 1832 wrote to memory of 1148 1832 net.exe net1.exe PID 1832 wrote to memory of 1148 1832 net.exe net1.exe PID 1832 wrote to memory of 1148 1832 net.exe net1.exe PID 1480 wrote to memory of 1544 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1544 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1544 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1544 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1544 wrote to memory of 432 1544 net.exe net1.exe PID 1544 wrote to memory of 432 1544 net.exe net1.exe PID 1544 wrote to memory of 432 1544 net.exe net1.exe PID 1544 wrote to memory of 432 1544 net.exe net1.exe PID 1480 wrote to memory of 1460 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1460 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1460 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1460 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1460 wrote to memory of 956 1460 net.exe net1.exe PID 1460 wrote to memory of 956 1460 net.exe net1.exe PID 1460 wrote to memory of 956 1460 net.exe net1.exe PID 1460 wrote to memory of 956 1460 net.exe net1.exe PID 1480 wrote to memory of 736 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 736 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 736 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 736 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 736 wrote to memory of 1588 736 net.exe net1.exe PID 736 wrote to memory of 1588 736 net.exe net1.exe PID 736 wrote to memory of 1588 736 net.exe net1.exe PID 736 wrote to memory of 1588 736 net.exe net1.exe PID 1480 wrote to memory of 1404 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1404 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1404 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1480 wrote to memory of 1404 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe net.exe PID 1404 wrote to memory of 1836 1404 net.exe net1.exe PID 1404 wrote to memory of 1836 1404 net.exe net1.exe PID 1404 wrote to memory of 1836 1404 net.exe net1.exe PID 1404 wrote to memory of 1836 1404 net.exe net1.exe PID 1480 wrote to memory of 1092 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1092 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1092 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1092 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1072 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1072 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1072 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1072 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1132 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1132 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe PID 1480 wrote to memory of 1132 1480 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"2⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y3⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵PID:1148
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y3⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵PID:432
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y3⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵PID:956
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y3⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵PID:1588
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y3⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵PID:1836
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled3⤵PID:1092
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled3⤵PID:1072
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled3⤵PID:1132
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled3⤵PID:952
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1732 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:1536 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1564 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1040 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1056 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1156 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1364 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:612 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1760 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1652 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:816 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1324 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1532 -
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:992 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe3⤵
- Deletes itself
PID:480 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:872
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ce5a5d3da57ba2c58f9757336c90b781
SHA15d01ca5f821893183c184c35017e09229d8026af
SHA256a54bfea20b4c34132fb8dbc7cebf5ab2a79ad14aa52c0853837250e8314405c7
SHA512851e2bd2b398880433f793ee9254bf72b4c8a1ca559a87080d97dbfc0648a60967582e61370acbe256d4704f2d4c31b978d36c2123d3c7567b2ff66a911d04de