Overview

overview

10

Static

static

3

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • Sample

    250124-fgvsfszrfx

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: KSnMVWa32MqAxk13nRqUOr3zPZWQ8DRfQlZGM/NLIxHAi3Y238rnikdQAcep5E5AXRiu0pjfOFuevLYqdtD8xTdAF31q+j1FPbeHJ1kV/A72efTXZs/H3BpXL37urAndEGNFi/lL6G2qf+tgJkfhzTq4PQIPgY2xNcj7JhNiDr8z6nRMif4pWQkzuPSTMtIGx+sWR3kmIzdCKqAEwG4P9tn39/SbXXDGzqp/Wdi6VlQ+JFFsnGnHPw8nGi5GDgbx43H1VvRJdhyxPludwz+BizU0oX3h+GKd15glXXx+q9kw/Z7dmO6ht3PjrfIG2CIhvD4ylgeRT7ybu4njeyxcNz4qlSQHwSgSbz6cOxI3RbQFhAZ2w0qXhEhnITMs29s9eORSsC1u3UhiRCOSDjmrYzsrWLC1sm5dKfErWJFzFIfXPHtO5GnZBrnbsrxuXo3/nZNc6h9o4nPPMldPUYgzmyoViPBb7lt/5kFQQSPdEtfI/f6yFuYAPUhWFcE39pUjO1KKXcYUrSAU31/Hj8svKSUdP5h7NUIkQHw5CmUOFWz9/UToYl4Aznk1ZIcxAvjleQeDOHwZ/7+nkTAcK3lhJqqsyDzb7BipVio2UdmeCVL53D6baqlMVpyUcR43j/IRghnt1EA9jw0kpWd3/qfTg/KKQt9Np/2qw+9ItBvgDX4= Number of files that were processed is: 486

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: yOHL04v2fTwoWJOnYwYQ7dV6SE06JFERZRzO1NT2vCUT7ezgLptrhN1vryjFon8Ona+OEcqJo/wry052/IMQ9Ge0xVS4QocwDTMlFxR4Sm6ODy8mjS1qRa7NXr9pXWXMzq1A20UrixfREZfe1nwo3Vv2TQhGHzKKKFQ1r/zPxiaiNL4BRsd0G0l1NfVwyJE4DUbgzpsUHUtdXH4LNKf+SltkyVtrosBTDXFjdoo/WwTVBnQ408CHz+6IHCMMQYU/Dr3sejueky1wsY8f77yFi2dtYv/90jxQczUZmeLu7VZmnoHGw1LvL29H03raTKd4W7dhSt0M0QjI2zP9eeCf0N7NEQHOTimOoycMUIg+tYZsZyZ48ZhFq5V1SuxFKjCLtEShbUM5kle3eY5xcQCsH3Fn2793PUvDhEuRYPiTxETasZ+u1zTYQDh5j42xcpJnOEJh57rX5XMaNM5BkkI+IOWxnOUPBdGVbUO9KhWx69zXa3Qt36gcobnhPHQidd21yYTQTatXsnUfNOHftuK52FJxEA11qjrnh2vuBcZblfft5RGnx1eOge9BmD2xs4nKQMnKuOZHqdoNrUNQgJpfWdl1T+c1uiosucp2SWiQoP0mqlh1kDVAzfmrXafTCfgNfB2ATAFB2GUiEsU1R8hxbaWQlMwyBJGSrB2sHqEyW4k= Number of files that were processed is: 436

Targets

    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • SSDEEP

      1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

    Score
    10/10
    hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

    • Disables service(s)

      defense_evasionexecution

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Hakbit family

      hakbit

    • Renames multiple (52) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks