Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 23:06
General
-
Target
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
-
Size
199KB
-
MD5
39c2a62f7024297c25f9a7b4157aba4c
-
SHA1
30c5c20fbfbd60442b963109ab257ee1969f7f88
-
SHA256
9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2
-
SHA512
502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
Ransom Note
Atention! all your important files were encrypted!
to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key.
We will send you a decryption tool with your personal decryption password.
Where can you buy Bitcoins:
https://www.coinbase.com
https://localbitcoins.com
Contact: servo99@protonmail.com.
Bitcoin wallet to make the transfer to is:
1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP
Unique Identifier Key (must be sent to us together with proof of payment):
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
qaHFzfa6ELe2xl5OZYs2CMxo9OKKDQoPIVIVvZHmteoVipmv2mlzUF/G5Jve9aQ4/afebkdEU4OINi9BqaJHdi1ojwxkUqJ3lymlRMZ6ap7OsCStucoEy8QWNlofIF1Ks96WxXiIipnfRfCGmE2xJi7V7plpmzKhDcKLstJQELxvJq3ox44a1oZCZdCtASO7Jvmeu23GnKbZMiSsCgXDZ9CCsuhEqwTcA7exTFDq2pBCSEx8e5MFBpCX7n0FYChT8No2Rf55iWJA9a5VLVTE+xD2xWbbGiAcYBZWixaeIdehyinLybJCMeP4/2i9ibNRTnOOabRjyk4p3QkpVgW4iw==
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Number of files that you could have potentially lost forever can be as high as: payment): 2
Emails
servo99@protonmail.com
Wallets
1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled3⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe3⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtMD5
ce5a5d3da57ba2c58f9757336c90b781
SHA15d01ca5f821893183c184c35017e09229d8026af
SHA256a54bfea20b4c34132fb8dbc7cebf5ab2a79ad14aa52c0853837250e8314405c7
SHA512851e2bd2b398880433f793ee9254bf72b4c8a1ca559a87080d97dbfc0648a60967582e61370acbe256d4704f2d4c31b978d36c2123d3c7567b2ff66a911d04de
-
memory/1480-63-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1480-59-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1480-60-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1480-61-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1480-62-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1480-64-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1480-65-0x0000000076C91000-0x0000000076C93000-memory.dmpFilesize
8KB
-
memory/1480-66-0x0000000000400000-0x0000000000730000-memory.dmpFilesize
3.2MB
-
memory/1536-56-0x00000000003F0000-0x0000000000404000-memory.dmpFilesize
80KB
-
memory/1536-57-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/1536-58-0x0000000000430000-0x0000000000446000-memory.dmpFilesize
88KB
-
memory/1536-54-0x0000000000B40000-0x0000000000B78000-memory.dmpFilesize
224KB
-
memory/1536-55-0x00000000002E0000-0x00000000002E6000-memory.dmpFilesize
24KB