Overview

overview

10

Static

static

9784148014...c2.exe

windows7_x64

10

9784148014...c2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    170s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe

  • Size

    199KB

  • MD5

    39c2a62f7024297c25f9a7b4157aba4c

  • SHA1

    30c5c20fbfbd60442b963109ab257ee1969f7f88

  • SHA256

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • SHA512

    502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Score
10/10
hakbitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: servo99@protonmail.com. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ hzqjGuzQ7/r+2HJj6VC4GV/HaM45Q8DtOcIp2HiHxz4Njc9uX7v7K3Xgjp9oMms44DoGYh1Qy7FAEpyMMx6IOrRkEJ61nwkXSlhSc1GLmg5Lk0PdKsd9bbcrSlsTzv6b+bD1ZFcYgptdzKIp1Wb7kPDqPKE8uwhaWYU2pg5PNW9AAM3icPz4PFcpwBZI7G2B52cKa+yh32CPk5KWpKaZlaLjOaXe+4IzgCCbemnZ9+Zorn02SJuSL8w8/7LsCCc+mrfU922L135ikrdnS7hht1EngyuM6zClwlzL/68rZZg8KIA70haa3d3PkEwo401sVSZSgl9wbw0fkzBTJv9l/Q== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 4
Emails

servo99@protonmail.com

Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 41 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
    "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
      "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
      2⤵
        PID:3600
      • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
        "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
        2⤵
          PID:1288
        • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
          "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
          2⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3896
          • C:\Windows\SysWOW64\net.exe
            "net.exe" stop avpsus /y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop avpsus /y
              4⤵
                PID:2516
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop McAfeeDLPAgentService /y
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1840
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
                4⤵
                  PID:2132
              • C:\Windows\SysWOW64\net.exe
                "net.exe" stop mfewc /y
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4088
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop mfewc /y
                  4⤵
                    PID:3360
                • C:\Windows\SysWOW64\net.exe
                  "net.exe" stop BMR Boot Service /y
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1244
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop BMR Boot Service /y
                    4⤵
                      PID:1248
                  • C:\Windows\SysWOW64\net.exe
                    "net.exe" stop NetBackup BMR MTFTP Service /y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1632
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                      4⤵
                        PID:3436
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config SQLTELEMETRY start= disabled
                      3⤵
                        PID:3468
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                        3⤵
                          PID:912
                        • C:\Windows\SysWOW64\sc.exe
                          "sc.exe" config SQLWriter start= disabled
                          3⤵
                            PID:3952
                          • C:\Windows\SysWOW64\sc.exe
                            "sc.exe" config SstpSvc start= disabled
                            3⤵
                              PID:2744
                            • C:\Windows\SysWOW64\taskkill.exe
                              "taskkill.exe" /IM mspub.exe /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:224
                            • C:\Windows\SysWOW64\taskkill.exe
                              "taskkill.exe" /IM mydesktopqos.exe /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1876
                            • C:\Windows\SysWOW64\taskkill.exe
                              "taskkill.exe" /IM mydesktopservice.exe /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2808
                            • C:\Windows\SysWOW64\notepad.exe
                              "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                              3⤵
                              • Opens file in notepad (likely ransom note)
                              PID:3504
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
                              3⤵
                                PID:3924
                                • C:\Windows\SysWOW64\choice.exe
                                  choice /C Y /N /D Y /T 3
                                  4⤵
                                    PID:2304
                            • C:\Windows\System32\WaaSMedicAgent.exe
                              C:\Windows\System32\WaaSMedicAgent.exe 81bf57d6effcaa8c73fc8e38da33526d Uw/7oEepo0arbvGyPr1SyQ.0.1.0.0.0
                              1⤵
                              • Modifies data under HKEY_USERS
                              PID:3968

                            Network

                            MITRE ATT&CK Matrix ATT&CK v6

                            Initial Access

                            Execution

                            Persistence

                            Registry Run Keys / Startup Folder

                            1
                            T1060

                            Privilege Escalation

                            Defense Evasion

                            Modify Registry

                            1
                            T1112

                            Credential Access

                            Discovery

                            Query Registry

                            1
                            T1012

                            System Information Discovery

                            2
                            T1082

                            Lateral Movement

                            Collection

                            Exfiltration

                            Command and Control

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe.log
                              MD5

                              fb3264819f05b468156e37fecd7ca1e7

                              SHA1

                              8461be627ec2c21766472ac5a9215204f6cd03d6

                              SHA256

                              902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c

                              SHA512

                              ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964

                              Download Submit
                            • memory/3800-130-0x0000000000D30000-0x0000000000D68000-memory.dmp
                              Filesize

                              224KB

                              Download
                            • memory/3800-131-0x000000000DA10000-0x000000000DFB4000-memory.dmp
                              Filesize

                              5.6MB

                              Download
                            • memory/3800-132-0x000000000D500000-0x000000000D592000-memory.dmp
                              Filesize

                              584KB

                              Download
                            • memory/3800-133-0x0000000004990000-0x0000000004C50000-memory.dmp
                              Filesize

                              2.8MB

                              Download
                            • memory/3800-134-0x000000000D4B0000-0x000000000D4BA000-memory.dmp
                              Filesize

                              40KB

                              Download
                            • memory/3800-135-0x000000000D710000-0x000000000D786000-memory.dmp
                              Filesize

                              472KB

                              Download
                            • memory/3800-259-0x00000000008C0000-0x00000000008DE000-memory.dmp
                              Filesize

                              120KB

                              Download
                            • memory/3896-260-0x0000000000400000-0x0000000000410000-memory.dmp
                              Filesize

                              64KB

                              Download
                            • memory/3896-261-0x0000000004960000-0x0000000004971000-memory.dmp
                              Filesize

                              68KB

                              Download