Analysis

  • max time kernel
    170s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 23:06

General

  • Target

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe

  • Size

    199KB

  • MD5

    39c2a62f7024297c25f9a7b4157aba4c

  • SHA1

    30c5c20fbfbd60442b963109ab257ee1969f7f88

  • SHA256

    9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2

  • SHA512

    502ef61a42a3575227284dcb43b2936772de9f97bec98345f0b9c93ae66c861d451440a07d8f86fb3130d499dc5bc56d3c5398c38346e6b3aa3c7614d9069236

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
Atention! all your important files were encrypted! to get your files back you have to send Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ hzqjGuzQ7/r+2HJj6VC4GV/HaM45Q8DtOcIp2HiHxz4Njc9uX7v7K3Xgjp9oMms44DoGYh1Qy7FAEpyMMx6IOrRkEJ61nwkXSlhSc1GLmg5Lk0PdKsd9bbcrSlsTzv6b+bD1ZFcYgptdzKIp1Wb7kPDqPKE8uwhaWYU2pg5PNW9AAM3icPz4PFcpwBZI7G2B52cKa+yh32CPk5KWpKaZlaLjOaXe+4IzgCCbemnZ9+Zorn02SJuSL8w8/7LsCCc+mrfU922L135ikrdnS7hht1EngyuM6zClwlzL/68rZZg8KIA70haa3d3PkEwo401sVSZSgl9wbw0fkzBTJv9l/Q== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: payment): 4
Wallets

1MYNpqa9CKnjvcvxd25iB7qxxeZbfWsBzP

Signatures

  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Sets service image path in registry 2 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
    "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
      "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
      2⤵
        PID:3600
      • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
        "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
        2⤵
          PID:1288
        • C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
          "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe"
          2⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3896
          • C:\Windows\SysWOW64\net.exe
            "net.exe" stop avpsus /y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop avpsus /y
              4⤵
                PID:2516
            • C:\Windows\SysWOW64\net.exe
              "net.exe" stop McAfeeDLPAgentService /y
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1840
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
                4⤵
                  PID:2132
              • C:\Windows\SysWOW64\net.exe
                "net.exe" stop mfewc /y
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4088
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop mfewc /y
                  4⤵
                    PID:3360
                • C:\Windows\SysWOW64\net.exe
                  "net.exe" stop BMR Boot Service /y
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1244
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop BMR Boot Service /y
                    4⤵
                      PID:1248
                  • C:\Windows\SysWOW64\net.exe
                    "net.exe" stop NetBackup BMR MTFTP Service /y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1632
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                      4⤵
                        PID:3436
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config SQLTELEMETRY start= disabled
                      3⤵
                        PID:3468
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                        3⤵
                          PID:912
                        • C:\Windows\SysWOW64\sc.exe
                          "sc.exe" config SQLWriter start= disabled
                          3⤵
                            PID:3952
                          • C:\Windows\SysWOW64\sc.exe
                            "sc.exe" config SstpSvc start= disabled
                            3⤵
                              PID:2744
                            • C:\Windows\SysWOW64\taskkill.exe
                              "taskkill.exe" /IM mspub.exe /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:224
                            • C:\Windows\SysWOW64\taskkill.exe
                              "taskkill.exe" /IM mydesktopqos.exe /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1876
                            • C:\Windows\SysWOW64\taskkill.exe
                              "taskkill.exe" /IM mydesktopservice.exe /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2808
                            • C:\Windows\SysWOW64\notepad.exe
                              "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                              3⤵
                              • Opens file in notepad (likely ransom note)
                              PID:3504
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe
                              3⤵
                                PID:3924
                                • C:\Windows\SysWOW64\choice.exe
                                  choice /C Y /N /D Y /T 3
                                  4⤵
                                    PID:2304
                            • C:\Windows\System32\WaaSMedicAgent.exe
                              C:\Windows\System32\WaaSMedicAgent.exe 81bf57d6effcaa8c73fc8e38da33526d Uw/7oEepo0arbvGyPr1SyQ.0.1.0.0.0
                              1⤵
                              • Modifies data under HKEY_USERS
                              PID:3968

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9784148014987a39d87265c015962e9535ed86e861093a6c59691095a19be7c2.exe.log
                              MD5

                              fb3264819f05b468156e37fecd7ca1e7

                              SHA1

                              8461be627ec2c21766472ac5a9215204f6cd03d6

                              SHA256

                              902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c

                              SHA512

                              ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964

                            • memory/3800-130-0x0000000000D30000-0x0000000000D68000-memory.dmp
                              Filesize

                              224KB

                            • memory/3800-131-0x000000000DA10000-0x000000000DFB4000-memory.dmp
                              Filesize

                              5.6MB

                            • memory/3800-132-0x000000000D500000-0x000000000D592000-memory.dmp
                              Filesize

                              584KB

                            • memory/3800-133-0x0000000004990000-0x0000000004C50000-memory.dmp
                              Filesize

                              2.8MB

                            • memory/3800-134-0x000000000D4B0000-0x000000000D4BA000-memory.dmp
                              Filesize

                              40KB

                            • memory/3800-135-0x000000000D710000-0x000000000D786000-memory.dmp
                              Filesize

                              472KB

                            • memory/3800-259-0x00000000008C0000-0x00000000008DE000-memory.dmp
                              Filesize

                              120KB

                            • memory/3896-260-0x0000000000400000-0x0000000000410000-memory.dmp
                              Filesize

                              64KB

                            • memory/3896-261-0x0000000004960000-0x0000000004971000-memory.dmp
                              Filesize

                              68KB