Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • Sample

    250123-c39a7axrbw

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: S/XkYGnuRXS0FbMwiRBKLY0EqvKaSltPGSHaCyXbc08BwBfeutGvXpEpLnePncCtFXU16kXFf+IP/DPq2LwcC1BA1CQsHzxK7Jb/K7nWtwd3Pvs56BN/pvSmQwqEYig4N23jLQ3ajjs9OGHq3pGKhbE719Dr6oZDR2FlDZE05AlRzwN019SIiyCt1YldlnjgvSzCMSvDqdepZxcDl+6jJZk5SkzNKBgj+dv8MLdKY3HpyzWMXRIkszjFppPjP4nPuHggoGVbEK1VLjjmyTm63AMe6k16DETXyzKNM6QwQMg3ic9DsN9I2EK639q6O2QRq85BhG6rQFsPuFv1upaSkz6D+wrAvg3yxhq9D/E/QKQtja8YjhHRq5xMuvJ3GAq+TdYyv0QAgw+65t2MHLGMBi8xEaah86GXcvecvfZhtRm7q3RzZ3/DuxGw1zCc+3hDJYMwL8URM13mZRQDWK9yUejFWvTbnvfONpbxDQa4/tTaJ1vLZeETKHRean5xXUymaKa7jNGeWYVTJ1aq6vk7p23WUCzAU6i/xHaXZo0EJgKMVmRLWNp7U6z+Sz9tj9UGk2HwrYWYpc+rnzE3t9oT97S5jRfE/eT9M1gH9ewWmd5qx2SzrQqbo2nhLxf7VwrCz1RHYN0uCVERRNWmsQw/AqAT7oMJ/2+GyPhs0MpeZfA= Number of files that were processed is: 468

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: te5s2xJmRir0vkfsc//vWJWBUjlxkIP35D8I+f31kkMhqQJOJvOXYcCFu3MgAh16rXBgihZg85KMSze1Bukr7CC7l/brHFguVyR84IGbk3571Bvc7sj7MDpGBu8nSQ42Q7ujEGfrUxowmLK8HlgNa6d7I0sSOzBANTsI0UYFuECa0PEmM9dNTshEKulk2QU282Y7hLEW30t7RchxVo/piM8iVWFBB1vaeRmEkYo26hDsmLK+8G44LMplLDKsMtqXG4rH3tMnRiP17sa12QyFtetK6l7NOZ3RfpJp/9DmUfKmj4KHIc/Rxuln2EW86rXRpUn2IpBad3eUrr5xbzI9cmR8gUFuiOivditrBqWKtimk+f0GHA4cIlLtbAgu9PKldYHo0nkw7tjAu9B4YJPZ2+pE8LTUmjlN1R2fplZqb+xL00hfFylULpHvP0Jk0sS0T06WE/GMJqgsMdZBIomeMRSGhyU3RpFOmKM/5H7dkTaSYGBNmAEN7fTaLXiQ3PwG27BLdLTF9Jy0TzqSg/zYfiYhTjyCM9rqE09w7S8VsGo3L9p41wXJePHHlGAXrzMCuhWymgV4qEGYTuIt9ZpVaH0CyspEMtWVBBy397Vl5BaZN8SbTeUbFnnbbtrY5TQJ2JO+m4eReGz+uy8msSc8dk4ABIT+c2Uy7/LWgr4Noh8= Number of files that were processed is: 448

Targets

    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • SSDEEP

      1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

    Score
    10/10
    hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

    • Disables service(s)

      defense_evasionexecution

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Hakbit family

      hakbit

    • Renames multiple (53) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks