hakbit | 9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
31-01-2022 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Size

199KB
MD5

39c2a62f7024297c25f9a7b4157aba4c
SHA1

30c5c20fbfbd60442b963109ab257ee1969f7f88
SHA256

9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
SHA512

502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Score

10^/10

hakbit ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note

Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ qaHFzfa6ELe2xl5OZYs2CMxo9OKKDQoPIVIVvZHmteoVipmv2mlzUF/G5Jve9aQ4/afebkdEU4OINi9BqaJHdi1ojwxkUqJ3lymlRMZ6ap7OsCStucoEy8QWNlofIF1Ks96WxXiIipnfRfCGmE2xJi7V7plpmzKhDcKLstJQELxvJq3ox44a1oZCZdCtASO7Jvmeu23GnKbZMiSsCgXDZ9CCsuhEqwTcA7exTFDq2pBCSEx8e5MFBpCX7n0FYChT8No2Rf55iWJA9a5VLVTE+xD2xWbbGiAcYBZWixaeIdehyinLybJCMeP4/2i9ibNRTnOOabRjyk4p3QkpVgW4iw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 2

Emails

[email protected]

Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes itself 1 IoCs

pid	Process
480	cmd.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1536	vssadmin.exe
1156	vssadmin.exe
992	vssadmin.exe
1564	vssadmin.exe
1364	vssadmin.exe
612	vssadmin.exe
1760	vssadmin.exe
1652	vssadmin.exe
1040	vssadmin.exe
816	vssadmin.exe
1324	vssadmin.exe
1732	vssadmin.exe
1056	vssadmin.exe
1532	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1468	taskkill.exe
1380	taskkill.exe
2028	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1612	notepad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Token: SeDebugPrivilege	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 696	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	27
PID 1536 wrote to memory of 696	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	27
PID 1536 wrote to memory of 696	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	27
PID 1536 wrote to memory of 696	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	27
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1536 wrote to memory of 1480	1536	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	28
PID 1480 wrote to memory of 1832	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	29
PID 1480 wrote to memory of 1832	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	29
PID 1480 wrote to memory of 1832	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	29
PID 1480 wrote to memory of 1832	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	29
PID 1832 wrote to memory of 1148	1832	net.exe	31
PID 1832 wrote to memory of 1148	1832	net.exe	31
PID 1832 wrote to memory of 1148	1832	net.exe	31
PID 1832 wrote to memory of 1148	1832	net.exe	31
PID 1480 wrote to memory of 1544	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	32
PID 1480 wrote to memory of 1544	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	32
PID 1480 wrote to memory of 1544	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	32
PID 1480 wrote to memory of 1544	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	32
PID 1544 wrote to memory of 432	1544	net.exe	34
PID 1544 wrote to memory of 432	1544	net.exe	34
PID 1544 wrote to memory of 432	1544	net.exe	34
PID 1544 wrote to memory of 432	1544	net.exe	34
PID 1480 wrote to memory of 1460	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	35
PID 1480 wrote to memory of 1460	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	35
PID 1480 wrote to memory of 1460	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	35
PID 1480 wrote to memory of 1460	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	35
PID 1460 wrote to memory of 956	1460	net.exe	37
PID 1460 wrote to memory of 956	1460	net.exe	37
PID 1460 wrote to memory of 956	1460	net.exe	37
PID 1460 wrote to memory of 956	1460	net.exe	37
PID 1480 wrote to memory of 736	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	38
PID 1480 wrote to memory of 736	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	38
PID 1480 wrote to memory of 736	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	38
PID 1480 wrote to memory of 736	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	38
PID 736 wrote to memory of 1588	736	net.exe	40
PID 736 wrote to memory of 1588	736	net.exe	40
PID 736 wrote to memory of 1588	736	net.exe	40
PID 736 wrote to memory of 1588	736	net.exe	40
PID 1480 wrote to memory of 1404	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	41
PID 1480 wrote to memory of 1404	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	41
PID 1480 wrote to memory of 1404	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	41
PID 1480 wrote to memory of 1404	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	41
PID 1404 wrote to memory of 1836	1404	net.exe	43
PID 1404 wrote to memory of 1836	1404	net.exe	43
PID 1404 wrote to memory of 1836	1404	net.exe	43
PID 1404 wrote to memory of 1836	1404	net.exe	43
PID 1480 wrote to memory of 1092	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	44
PID 1480 wrote to memory of 1092	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	44
PID 1480 wrote to memory of 1092	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	44
PID 1480 wrote to memory of 1092	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	44
PID 1480 wrote to memory of 1072	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	46
PID 1480 wrote to memory of 1072	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	46
PID 1480 wrote to memory of 1072	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	46
PID 1480 wrote to memory of 1072	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	46
PID 1480 wrote to memory of 1132	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	48
PID 1480 wrote to memory of 1132	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	48
PID 1480 wrote to memory of 1132	1480	9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe	48

C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
  "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
  2⤵
  PID:696
- C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
  "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop avpsus /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:1148
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:432
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfewc /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:956
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:1588
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:1836
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:952
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1732
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1536
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1564
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1040
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1056
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1156
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1364
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:612
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1760
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1652
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:816
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1324
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1532
- - C:\Windows\SysWOW64\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:992
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
    3⤵
    - Deletes itself
    PID:480
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-65-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download
memory/1480-66-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/1536-56-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/1536-57-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1536-58-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1536-54-0x0000000000B40000-0x0000000000B78000-memory.dmp

Filesize
224KB

Download
memory/1536-55-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download