Overview

overview

10

Static

static

10

08751be484...2d.dll

windows7-x64

10

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

3

0di3x.exe

windows7-x64

10

0di3x.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

7

2c01b00772...eb.exe

windows10-2004-x64

10

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

1

3DMark 11 ...on.exe

windows10-2004-x64

1

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

10

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

95560f1a46...f9.dll

windows7-x64

1

95560f1a46...f9.dll

windows10-2004-x64

5

Archive.zi...3e.exe

windows7-x64

8

Archive.zi...3e.exe

windows10-2004-x64

8

[email protected]

windows7-x64

4

[email protected]

windows10-2004-x64

4

[email protected]

windows7-x64

1

[email protected]

windows10-2004-x64

1

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

Analysis

  • max time kernel
    117s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: TlkroxV7uOMSazLMhPqGnRtksVhbyHG7acxdrDqHP2DrBdG0dVbl5xq//MDgYyEd+6SoTSnRlK1jvWxbQM6L8HM4pR1jDW4ciZUUhxAA1R19vtbKYJlOjonDfluDC5TN0URvZT1cTPAc3uOcxf4DUmE+Agj1SRzt61LAL/w20BQvAaHKT2PUk5oQ8aXcU1ZYAUBgL0Ue5TweCFNlWSgxCcg2tte4SHm+W+XEiLpQG+jNrscIOb5eX7H5+xd6PCeF4Y4vd2N9tG9O+MJbMgSsf+G+DDbxkuUZ28QsdQLhzMMrNJ6lAp8tIcWRTjlreIV6eCJMaNUKmVpsnr+epytmF3Inzs2w9vH1rWD6FvALAVwtEgyeEWnVtNtQFPzGmhaHAJOiXWFOhtxdhEcXg8L3iEbSb+O3INIiuNZV1BVIZ1Ll2vjCGoZfhErrO2dKrzKdLGgMbEBlAUNgBlU1BptMhFl02UuLQNT0Kbir1YMND4TMYpG7qNTwongS+sIkHktc8XEsMmfvZwoVpo+zxopaXyF6fTb6rijWQh617HAVxWk0Q82TWdNBfTA072hCUoXWBycRPMNQjdEnPcYh+/Umx2kLPmYnIfnqqvz8g3BYE1C6A3+yVvmyVxvu46mm8krhmUxGMRMn1hboMxD9w4XHF9lQtN6u4AlV1nzxhf3vmCs= Number of files that were processed is: 493

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:2336
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:840
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      2⤵
      • Launches sc.exe
      PID:2760
    • C:\Windows\system32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      2⤵
      • Launches sc.exe
      PID:2608
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2416
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      2⤵
      • Kills process with taskkill
      PID:2952
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:700
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1584
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:2020
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2404
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:336
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:680
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:324
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:784
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1420
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:2992
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:3744
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:2436
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
            2⤵
            • Deletes itself
            PID:680
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:1744

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]
            Filesize

            4KB

            MD5

            ec2ca11f86433fc302ea25cb335b4ec9

            SHA1

            7dfc0dc1f31238c506c663762a772f87d241fad4

            SHA256

            b83ce91389b8e56fe1b9ac994dd6cc69eafe9cc071985a98ec8ed6cfd6afd55d

            SHA512

            bec4593f01692a985918fb54c2727c15ac18b24482464c9888a000f567ce060030e76ee3fe1198e674c38ddb475ba37b46974704ea83dca55d39df7369883658

            Download Submit
          • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
            Filesize

            180KB

            MD5

            d8741bfa0d142ad1a24d23e07d85b3d0

            SHA1

            fe3a79c9f6b888b5e4b029ec70a681a08418bc88

            SHA256

            98865f3b8f7e20637e80481ae1037ee93a05faf4f6fe53c3acf7443cc8837a1c

            SHA512

            6e8c7912ff101f9dba8f71fa6cfad8de75bb6cfca632fb336be46c421e962cff528e8e5348a540eb78ef92bfc56263801d1561bcae08588ff63cabdc6923fc20

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            e571ac28e5b5ae9fc27502043bd7a940

            SHA1

            3a921962be9939f3bc5d6e75a5efdbdd7939d940

            SHA256

            f3adc9ea3fc5b3948856608b5926e53bdaea97bd91fcf6656d54a5ee7d367b5a

            SHA512

            55752b347db63838f6348bb8371b42becb8ceeca2582ae9d3706318c0c8d1a6b527c3fbad11391707d8a6a769015975f73269c3d3c2d6591bed71cfb7e536c92

            Download Submit
          • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
            Filesize

            828B

            MD5

            8bcbed3deb3567c2257de4781ffb3a1b

            SHA1

            0d2286c389db175cdb7df113bbe64a072f02af4d

            SHA256

            ee5c3e9739f3cd8c4d24926a8080674870267f774b0c20dc5761c3f712ff5998

            SHA512

            c89025cef9b7727de74f0409988a66e054998db5ec7005ac247fc9236539300307d5c775161739d63c09ff937d409d31724dd6019e1f994366be56236aabc7ac

            Download Submit
          • memory/1480-9-0x0000000002860000-0x0000000002868000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1480-7-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/2836-0-0x000007FEF5773000-0x000007FEF5774000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2836-1-0x0000000000E80000-0x0000000000E9A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2836-10-0x000007FEF5770000-0x000007FEF615C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/2836-595-0x000007FEF5770000-0x000007FEF615C000-memory.dmp
            Filesize

            9.9MB

            Download