Overview

overview

10

Static

static

10

08751be484...2d.dll

windows7-x64

10

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

3

0di3x.exe

windows7-x64

10

0di3x.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

10

2c01b00772...eb.exe

windows10-2004-x64

10

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

1

3DMark 11 ...on.exe

windows10-2004-x64

1

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

10

5da0116af4...18.exe

windows10-2004-x64

10

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

95560f1a46...f9.dll

windows7-x64

1

95560f1a46...f9.dll

windows10-2004-x64

1

Archive.zi...3e.exe

windows7-x64

8

Archive.zi...3e.exe

windows10-2004-x64

8

[email protected]

windows7-x64

4

[email protected]

windows10-2004-x64

4

[email protected]

windows7-x64

1

[email protected]

windows10-2004-x64

1

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

Analysis

  • max time kernel
    1563s
  • max time network
    1570s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: HDMImGNyoKR9Ge0ANF3b0ZRFi2eKV9fYzkaLhkTW+vCWw8Jzlhm1DxEHJzebcjlrdlfzLvNjw4+h0P+vE4Y9hkpOLpAOiLhmK+lGqqof1TwpzWUGrO+aeXqtwxFGDcibN0tneJoKrbAZBpCBnRP6C6C96xCLiuaKaz6E3z5sehyRM+m9edRC0qsM/r1qqC9Mf25CLVY6BVzvqc+YEbbBN1ggL/RzEkSzc3EzSHFENvBGeMndoNE5NCLwtNLCLKYqMFgtH4J7p1MILjBSaAzhcEP2mLPkdpi4OWH4ZgcZjw/2F4EJ6ZaboTiMVrUsxBZ+9T4k6hIth0GYeaef89h/OPQPd/zuk8IMRHsB7TxNUwwHEKyB6IH+jnLnxDB6sg/LEZyJ9tTYwBnQzAyT3LBg8/l0NQKmsHX/tez7Rxr9DExP6FhPSaN04jU2UbuvTnlJG9IfBFKXSgkKvZ376l4Ke4gCxiNlssPPn3tniOJshk+fiKHpjT/gSxJJh6W9WdJkzCG5R/HnwDqPRTEjuCrOJviSjmSouHaBw0EqAwxGJZt02Ij0iJBEvJ0Dnbabq9cPCbQc7nWiHfhsVcPMB+I5feUWXjacn/wmQM1o7yDd0YiGJiAuTFkZuiiHzaZ+Z395yL8auaVRRuWR5qNXEbuFrh6KYopfvi5PLyYMa7BzTEU= Number of files that were processed is: 480

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:2160
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:3008
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:2336
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:2616
      • C:\Windows\system32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2664
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:376
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:1632
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1496
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1460
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1368
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2584
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1704
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2948
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:1268
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:1284
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:1804
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
            2⤵
            • Deletes itself
            PID:860
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:2864

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          System Services

          1
          T1569

          Service Execution

          1
          T1569.002

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          System Information Discovery

          1
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Service Stop

          1
          T1489

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]
            Filesize

            4KB

            MD5

            f867cb4e20f7b157186f37968db0a5c1

            SHA1

            07787a18870793461ab3ab3c4a902fbf8d443205

            SHA256

            de41b9ddebc54ef5dcacf055852f740eeb12b4533e3cb64b396b8aed2fa81e23

            SHA512

            e33701939e442e63b86b67b42acd1a26d2a3ca87bc1ab0756bc1a7fa6c4881925cca9dc59f54a7e522651a225163389a26877c233439266ac366614eef2f2d7e

            Download Submit
          • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
            Filesize

            180KB

            MD5

            efc7ef8e5e96a014e9e414973f130806

            SHA1

            8bc59b790ba482c9294ff9711b9ab5bf26a5b0b8

            SHA256

            61b043f7954b995c9367ef90152e0ef7a5c67126efa6e21a2a67271896335eed

            SHA512

            74be7e54a65c4b0588a2ff67802c2143046e373bd60c391ab3505848813f15afae1c70afbb0fcd72cde5856ff4ef078deecce7dc040987c3580f5a37ee508a11

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            59644ea55e2c9809dcf12ca86d12de38

            SHA1

            8bf06ae2a017d467720779c716dd27e7a848dc5c

            SHA256

            d8393801de246d6d40b8fc0abbff2ffa6efeb3c60a1abcba6a81413ca5524360

            SHA512

            3e44e75a5d8ee5b73a7ba009c884993899c3655d30b05ec219dc831a82b6c7b2a9419688f8113a98f9618670277d3cbd1c0d72d88584c0b70fd81bb54cdcc0e7

            Download Submit
          • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
            Filesize

            828B

            MD5

            4315580d6493d71dab315ab89ebb3930

            SHA1

            b66443f76045f3765651dab9b2263326857fde8c

            SHA256

            fd7dbd55c1d68dbea780f22bb89e2e9a170e45a85c1c1453b3631c3fe45c08d6

            SHA512

            23d1418b7cf57d62e7803163ab4ea9d068c802682a97a038680640015ccaeffbe31cc645ca58ceee5c8182e02324fea5d23b8893c5b703b04f58a27022c1a2c9

            Download Submit
          • memory/1704-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
            Filesize

            2.9MB

            Download
          • memory/1704-15-0x0000000001FE0000-0x0000000001FE8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2068-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2068-1-0x0000000000CE0000-0x0000000000CFA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2068-3-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/2068-598-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp
            Filesize

            9.9MB

            Download