Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

1

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

12-05-2024 16:15

240512-tqd3ysdh3t 10

10-05-2024 18:05

240510-wpghssdd27 10

10-05-2024 17:48

240510-wdyypscg56 10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Client-2.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: gDN84uFxFDjPQfAyEXoTsPy8dqlOLrkOZ0w/Y4C4LsvmNTGLHVFEkK0+EE76cBYGPHA6OtzciMKsHWpkc6wcN4roDu2rjZfHp90vRrr/1fXSuS4uxSQx8SQALTwMgrJ6p6v5k2Oos3qeGV9HMdkM+94bRZFe3oH4LQvbVNjlH9M80WazVx4iCPAeJgxBxbq1HD6mDZ2S52gajyK6iWCMZA9tI2W8iwr4dDoiG6xcN1O4uqlM1zRe3hWvr68rPVEFTccuMVmQb6ks+C9Kz88nZ7SFX1qbXuxfiouBMYhxUfoe7rjMgyPvuvlaTTnzEMtcNWjGZkGEgACBeucsfZnwH4wBpFCBFterkl3B+pNXofwpetARIxd8j9c9lVo0YcADs0XAqVZNQyskCC2EvUwKSm7KvXaq43hvNH09A5WZww93kkBIh+yzQBddNkInCHi2/atjDxxjODs6FE3sQPW8E9ka7IaWSmasE/F4w3Zb71TQ1GsDD0ln0gmzouV92WyFxdf+pVVgKGG5cEPIg4QUs+4zJ/NQN3CN5onSkhZJvLpyWl0G6E0Iav5yC1AD0JgN4C9Av7URLWL1poOHWETC7WQPvC1CFAbYb5atgfkWwC6o9RuxuCHNHnKKvSGXfRGh8ZpEY3wjpDe1Z/rYcmx7rBX2CpsNA933SYoru95/w4A= Number of files that were processed is: 475

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:2000
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:2372
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:2280
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:2580
      • C:\Windows\system32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2616
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2480
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2432
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:2468
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2488
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2536
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2976
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:948
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:952
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1904
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1700
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2460
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1556
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:4052
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:1704
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:2060
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
            2⤵
            • Deletes itself
            PID:4040
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:1656
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UseConvertTo.bmp.energy[[email protected]]
            1⤵
            • Modifies registry class
            PID:2076

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          System Services

          1
          T1569

          Service Execution

          1
          T1569.002

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          System Information Discovery

          1
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Service Stop

          1
          T1489

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck.energy[[email protected]]
            Filesize

            4KB

            MD5

            2f1dd10097e8cd66b978d97e7a9ce471

            SHA1

            33319ec1178a9790d7045cd68f9d5f447e4d92cf

            SHA256

            db40cf04f742b0eb28c56f22dfa68cfe9ac288af93c5de586f5d34c31d99e99a

            SHA512

            c72e0a6dcc124e044ce23d9cf6d1b54daa1e803699430d2a0ebfc8bd71bf5052e8b51bfab2015b77daadad33135b9a4c4ab6b52b13a709c6ff031ce10a2b62c9

            Download Submit
          • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
            Filesize

            180KB

            MD5

            1ea61b328430b4b47bfa6518a08c5e50

            SHA1

            b53fa0fffa3274f00240c443722bc5e646e97b98

            SHA256

            b31e2d50eb92f67a87d5f5122aaefeb1d6d86a6f5a750510c4406f11c2aded92

            SHA512

            84082a71e02221a60b0b37733155824c73f038efd2581d3ccc1efc0964a2fec54b62517bc0c09038a1a4bd87d2d21e0c8292da4170c9cca6505637798fb5395e

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            be9177eb0d3b96ed6fee6701c3166517

            SHA1

            08640bc0009a190eaf5c9dc909bfdcfc0de49fd8

            SHA256

            9f27a09b88b86e070eb92e6adc809ab6fa1a14986608ade5dd834da1805f130d

            SHA512

            3592d96d849897b5e1c2619439e2d953dc360d0194e7c3f98d3a57b5380b7a680d124c146294b6d1fc138dc59b15d9cc85038cb5b416ba445eae4b6f0f6a8d82

            Download Submit
          • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
            Filesize

            828B

            MD5

            f8502cfb033e8ce01afbd24dcbc97bbc

            SHA1

            564145b13e46431dab1d9372c84f6cf887192f6f

            SHA256

            267ecce7642344db1e6e4deaa08bfead7f089e7dfc242be304f5c7cdd09a61a9

            SHA512

            0435bb481101e0a0f286839a19fce1a8e0f8fe97a5bc6d74e25d7151b7da6af98fd131762458e8efabc936c9f5daaec9acfdb0090b5ece340fe3cbea1ffbab9f

            Download Submit
          • memory/2244-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2244-1-0x0000000000340000-0x000000000035A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2244-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/2244-590-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/2808-10-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2808-9-0x000000001B700000-0x000000001B9E2000-memory.dmp
            Filesize

            2.9MB

            Download