Overview

overview

10

Static

static

3

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: KSnMVWa32MqAxk13nRqUOr3zPZWQ8DRfQlZGM/NLIxHAi3Y238rnikdQAcep5E5AXRiu0pjfOFuevLYqdtD8xTdAF31q+j1FPbeHJ1kV/A72efTXZs/H3BpXL37urAndEGNFi/lL6G2qf+tgJkfhzTq4PQIPgY2xNcj7JhNiDr8z6nRMif4pWQkzuPSTMtIGx+sWR3kmIzdCKqAEwG4P9tn39/SbXXDGzqp/Wdi6VlQ+JFFsnGnHPw8nGi5GDgbx43H1VvRJdhyxPludwz+BizU0oX3h+GKd15glXXx+q9kw/Z7dmO6ht3PjrfIG2CIhvD4ylgeRT7ybu4njeyxcNz4qlSQHwSgSbz6cOxI3RbQFhAZ2w0qXhEhnITMs29s9eORSsC1u3UhiRCOSDjmrYzsrWLC1sm5dKfErWJFzFIfXPHtO5GnZBrnbsrxuXo3/nZNc6h9o4nPPMldPUYgzmyoViPBb7lt/5kFQQSPdEtfI/f6yFuYAPUhWFcE39pUjO1KKXcYUrSAU31/Hj8svKSUdP5h7NUIkQHw5CmUOFWz9/UToYl4Aznk1ZIcxAvjleQeDOHwZ/7+nkTAcK3lhJqqsyDzb7BipVio2UdmeCVL53D6baqlMVpyUcR43j/IRghnt1EA9jw0kpWd3/qfTg/KKQt9Np/2qw+9ItBvgDX4= Number of files that were processed is: 486

Signatures

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Hakbit family
    hakbit
  • Renames multiple (52) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 47 IoCs
    defense_evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:3028
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:1256
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:2892
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:2128
      • C:\Windows\system32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2188
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2788
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2816
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:2900
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2584
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1556
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2972
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:684
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3084
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2868
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2732
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:3308
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
          2⤵
          • Deletes itself
          PID:1368
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:3452

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Defense Evasion

        Credential Access

        Credentials from Password Stores

        2
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Windows Credential Manager

        1
        T1555.004

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Remote System Discovery

        1
        T1018

        System Information Discovery

        1
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]
          Filesize

          4KB

          MD5

          9a9a8ee69da0d5465cdce53f13c5c9e1

          SHA1

          bac8eca52c61f9ee998f309b957e2c6ffeee5f8b

          SHA256

          802d21015ed25c72ea46fd1785f2debc61a7cdc56b8f81ab5ad7f283ead673b9

          SHA512

          668a1d5b727a4514fbc6cc9d2fbe2ee5f7314cc8c9ec580a91d60c2027245a8d0ad146771530a1a8218b3541cad10308fb0cddb07718f2f887da28c1cb1269b0

          Download Submit

        • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
          Filesize

          180KB

          MD5

          81360d8e3bb611236e54e17ed62c9971

          SHA1

          610e725453a13f1731ab37dac442219ed17be4e8

          SHA256

          8186424aeb1fac25be6cc9d8fb7c69f6d38ccc4fd9adc464adaae84e10175e8b

          SHA512

          0f2af9a954b0f59c66a8c196d93f12a116281459b72ee8b0ef80521d514842270bc84cc122dfa50b1510178ceb03514300b2aa6dbed6c55ec64ca58eb1c0bc1d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          dde1f47c72b8f535cf5d371b2a281e66

          SHA1

          bbb234f80d40473b10094f962e087a2a630e791a

          SHA256

          4876cce946dd6385863dc52a5d4c253c99ed1f9d16fc3ca281565a6ce207c959

          SHA512

          ab1b9d2c55f5d71f948b64245abf2af151fda8664d38a0bda55d2e29e9dcae81512936d5aa98a0711edd00dd1ec19128eab094b282c0d9a435ab465f05eede99

          Download Submit

        • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
          Filesize

          828B

          MD5

          0bce029ef79ef4447f94c19b0a154ea5

          SHA1

          d91230dabfb8c7d616923280be9cdbe9c4f2f8e2

          SHA256

          f55a564d9cceede4a2359fa4600f6fbbaa69de0ee37abe288fcb7a515e341332

          SHA512

          1728b49db6d9206ec9f052b9a9d6e55b717ec5385b1a83333ad1ce97adf80ea63c62be696bc2989ff319d244878a3c0038de9aeabd9881c18f7e4ccae6d810d2

          Download Submit

        • C:\Users\Admin\Desktop\SkipPublish.xlsx.energy[[email protected]]
          Filesize

          12KB

          MD5

          56f8f350c0960942a29ee7ab73d93c1f

          SHA1

          e5eb6749e2f991f329c5158d167763bd75029574

          SHA256

          598ed432c1a1980fe7d0ca5a1a40caee31bea9954c895f3b65fc98b5f8ec9bb6

          SHA512

          3e679662e4617a995869025f5de562adc359207824628cd5da617a2789025594a605c962e8be8a13f761a6eeb6fd6fedf4cdcf392778a7fb786991bd6310a2e0

          Download Submit

        • memory/1708-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1708-220-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1708-246-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1708-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1708-1-0x0000000001050000-0x000000000106A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1708-597-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2420-9-0x0000000002920000-0x0000000002928000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2420-8-0x000000001B530000-0x000000001B812000-memory.dmp

          Filesize

          2.9MB

          Download