hakbit | f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f

Analysis

max time kernel
188s
max time network
98s
platform
windows7_x64
resource
win7v200430
submitted
12-05-2020 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

61KB
MD5

b8edb3062e489a16fd49868c18731a55
SHA1

018a392975a8731735ef709e6418e5af19db3756
SHA256

f0c0c989b018ee24cbd7548cec4e345fd34f491d350983fddb5ddc1ad1f4ba9f
SHA512

6793968fab16a332217cff0a876a6e1355859b4dabb93a6362eec3412d029d7c7e3c957e136dfaa1f984527710cdef01abc27072f66ba45ded6758471a04fa12

Score

10^/10

ransomware persistence spyware hakbit

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

!!! WARNING !!! WARNING !!! WARNING !!! Where are my files? We have them safely cyphered. You want them back? Contact: [email protected] Telegram Messenger : @CRYPTOMAB Key Identifier: BWmVcy4HiLlA42hfFL4WyIgHzYq76MCNXrjvKMDE3Pjbz1UfszKSjghUXMbOtRzv86zZfPzDL5EMabfvLZEHCNnTC3eVpTEMYg0h5PLjrrKjjmM9Rgt/fvQTLN8UbVNz+vPsCIZ7JzVoyow0cFQHSova4Gia+i1BOrBc7M7MSttYN1L5IKNqDDz0GoaQ28gFCMGduC2nAef9uJIaYEt/ewU/yOP5WWyGZuYYSmBH2OyeBw5rM347VBPYi0rE/Mw32BX36Pm7gRH3R5HBDNcxnwMIeX+aD77YhtT4KjcsLnZ1W7XDBO7V0mBxUSAp7cPUJo5oljUcasYveMBA2NuJlQ== Number of files that you could have potentially lost forever can be as high as: 70

Emails

Contact: [email protected]

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Suspicious use of WriteProcessMemory 384 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1312	1292	client.exe	24
PID 1292 wrote to memory of 1312	1292	client.exe	24
PID 1292 wrote to memory of 1312	1292	client.exe	24
PID 1292 wrote to memory of 1312	1292	client.exe	24
PID 1312 wrote to memory of 1412	1312	net.exe	26
PID 1312 wrote to memory of 1412	1312	net.exe	26
PID 1312 wrote to memory of 1412	1312	net.exe	26
PID 1312 wrote to memory of 1412	1312	net.exe	26
PID 1292 wrote to memory of 1444	1292	client.exe	27
PID 1292 wrote to memory of 1444	1292	client.exe	27
PID 1292 wrote to memory of 1444	1292	client.exe	27
PID 1292 wrote to memory of 1444	1292	client.exe	27
PID 1444 wrote to memory of 1560	1444	net.exe	29
PID 1444 wrote to memory of 1560	1444	net.exe	29
PID 1444 wrote to memory of 1560	1444	net.exe	29
PID 1444 wrote to memory of 1560	1444	net.exe	29
PID 1292 wrote to memory of 288	1292	client.exe	30
PID 1292 wrote to memory of 288	1292	client.exe	30
PID 1292 wrote to memory of 288	1292	client.exe	30
PID 1292 wrote to memory of 288	1292	client.exe	30
PID 288 wrote to memory of 900	288	net.exe	32
PID 288 wrote to memory of 900	288	net.exe	32
PID 288 wrote to memory of 900	288	net.exe	32
PID 288 wrote to memory of 900	288	net.exe	32
PID 1292 wrote to memory of 376	1292	client.exe	33
PID 1292 wrote to memory of 376	1292	client.exe	33
PID 1292 wrote to memory of 376	1292	client.exe	33
PID 1292 wrote to memory of 376	1292	client.exe	33
PID 376 wrote to memory of 324	376	net.exe	35
PID 376 wrote to memory of 324	376	net.exe	35
PID 376 wrote to memory of 324	376	net.exe	35
PID 376 wrote to memory of 324	376	net.exe	35
PID 1292 wrote to memory of 752	1292	client.exe	36
PID 1292 wrote to memory of 752	1292	client.exe	36
PID 1292 wrote to memory of 752	1292	client.exe	36
PID 1292 wrote to memory of 752	1292	client.exe	36
PID 752 wrote to memory of 1064	752	net.exe	38
PID 752 wrote to memory of 1064	752	net.exe	38
PID 752 wrote to memory of 1064	752	net.exe	38
PID 752 wrote to memory of 1064	752	net.exe	38
PID 1292 wrote to memory of 1044	1292	client.exe	39
PID 1292 wrote to memory of 1044	1292	client.exe	39
PID 1292 wrote to memory of 1044	1292	client.exe	39
PID 1292 wrote to memory of 1044	1292	client.exe	39
PID 1044 wrote to memory of 1520	1044	net.exe	41
PID 1044 wrote to memory of 1520	1044	net.exe	41
PID 1044 wrote to memory of 1520	1044	net.exe	41
PID 1044 wrote to memory of 1520	1044	net.exe	41
PID 1292 wrote to memory of 1508	1292	client.exe	42
PID 1292 wrote to memory of 1508	1292	client.exe	42
PID 1292 wrote to memory of 1508	1292	client.exe	42
PID 1292 wrote to memory of 1508	1292	client.exe	42
PID 1508 wrote to memory of 1356	1508	net.exe	44
PID 1508 wrote to memory of 1356	1508	net.exe	44
PID 1508 wrote to memory of 1356	1508	net.exe	44
PID 1508 wrote to memory of 1356	1508	net.exe	44
PID 1292 wrote to memory of 1368	1292	client.exe	45
PID 1292 wrote to memory of 1368	1292	client.exe	45
PID 1292 wrote to memory of 1368	1292	client.exe	45
PID 1292 wrote to memory of 1368	1292	client.exe	45
PID 1368 wrote to memory of 1796	1368	net.exe	47
PID 1368 wrote to memory of 1796	1368	net.exe	47
PID 1368 wrote to memory of 1796	1368	net.exe	47
PID 1368 wrote to memory of 1796	1368	net.exe	47
PID 1292 wrote to memory of 1816	1292	client.exe	48
PID 1292 wrote to memory of 1816	1292	client.exe	48
PID 1292 wrote to memory of 1816	1292	client.exe	48
PID 1292 wrote to memory of 1816	1292	client.exe	48
PID 1816 wrote to memory of 1780	1816	net.exe	50
PID 1816 wrote to memory of 1780	1816	net.exe	50
PID 1816 wrote to memory of 1780	1816	net.exe	50
PID 1816 wrote to memory of 1780	1816	net.exe	50
PID 1292 wrote to memory of 1776	1292	client.exe	51
PID 1292 wrote to memory of 1776	1292	client.exe	51
PID 1292 wrote to memory of 1776	1292	client.exe	51
PID 1292 wrote to memory of 1776	1292	client.exe	51
PID 1776 wrote to memory of 1760	1776	net.exe	53
PID 1776 wrote to memory of 1760	1776	net.exe	53
PID 1776 wrote to memory of 1760	1776	net.exe	53
PID 1776 wrote to memory of 1760	1776	net.exe	53
PID 1292 wrote to memory of 368	1292	client.exe	54
PID 1292 wrote to memory of 368	1292	client.exe	54
PID 1292 wrote to memory of 368	1292	client.exe	54
PID 1292 wrote to memory of 368	1292	client.exe	54
PID 368 wrote to memory of 768	368	net.exe	56
PID 368 wrote to memory of 768	368	net.exe	56
PID 368 wrote to memory of 768	368	net.exe	56
PID 368 wrote to memory of 768	368	net.exe	56
PID 1292 wrote to memory of 860	1292	client.exe	57
PID 1292 wrote to memory of 860	1292	client.exe	57
PID 1292 wrote to memory of 860	1292	client.exe	57
PID 1292 wrote to memory of 860	1292	client.exe	57
PID 860 wrote to memory of 648	860	net.exe	59
PID 860 wrote to memory of 648	860	net.exe	59
PID 860 wrote to memory of 648	860	net.exe	59
PID 860 wrote to memory of 648	860	net.exe	59
PID 1292 wrote to memory of 1352	1292	client.exe	60
PID 1292 wrote to memory of 1352	1292	client.exe	60
PID 1292 wrote to memory of 1352	1292	client.exe	60
PID 1292 wrote to memory of 1352	1292	client.exe	60
PID 1352 wrote to memory of 592	1352	net.exe	62
PID 1352 wrote to memory of 592	1352	net.exe	62
PID 1352 wrote to memory of 592	1352	net.exe	62
PID 1352 wrote to memory of 592	1352	net.exe	62
PID 1292 wrote to memory of 1208	1292	client.exe	63
PID 1292 wrote to memory of 1208	1292	client.exe	63
PID 1292 wrote to memory of 1208	1292	client.exe	63
PID 1292 wrote to memory of 1208	1292	client.exe	63
PID 1208 wrote to memory of 824	1208	net.exe	65
PID 1208 wrote to memory of 824	1208	net.exe	65
PID 1208 wrote to memory of 824	1208	net.exe	65
PID 1208 wrote to memory of 824	1208	net.exe	65
PID 1292 wrote to memory of 1624	1292	client.exe	66
PID 1292 wrote to memory of 1624	1292	client.exe	66
PID 1292 wrote to memory of 1624	1292	client.exe	66
PID 1292 wrote to memory of 1624	1292	client.exe	66
PID 1624 wrote to memory of 1592	1624	net.exe	68
PID 1624 wrote to memory of 1592	1624	net.exe	68
PID 1624 wrote to memory of 1592	1624	net.exe	68
PID 1624 wrote to memory of 1592	1624	net.exe	68
PID 1292 wrote to memory of 1584	1292	client.exe	69
PID 1292 wrote to memory of 1584	1292	client.exe	69
PID 1292 wrote to memory of 1584	1292	client.exe	69
PID 1292 wrote to memory of 1584	1292	client.exe	69
PID 1584 wrote to memory of 1648	1584	net.exe	71
PID 1584 wrote to memory of 1648	1584	net.exe	71
PID 1584 wrote to memory of 1648	1584	net.exe	71
PID 1584 wrote to memory of 1648	1584	net.exe	71
PID 1292 wrote to memory of 1564	1292	client.exe	72
PID 1292 wrote to memory of 1564	1292	client.exe	72
PID 1292 wrote to memory of 1564	1292	client.exe	72
PID 1292 wrote to memory of 1564	1292	client.exe	72
PID 1564 wrote to memory of 1576	1564	net.exe	74
PID 1564 wrote to memory of 1576	1564	net.exe	74
PID 1564 wrote to memory of 1576	1564	net.exe	74
PID 1564 wrote to memory of 1576	1564	net.exe	74
PID 1292 wrote to memory of 1892	1292	client.exe	75
PID 1292 wrote to memory of 1892	1292	client.exe	75
PID 1292 wrote to memory of 1892	1292	client.exe	75
PID 1292 wrote to memory of 1892	1292	client.exe	75
PID 1892 wrote to memory of 1888	1892	net.exe	77
PID 1892 wrote to memory of 1888	1892	net.exe	77
PID 1892 wrote to memory of 1888	1892	net.exe	77
PID 1892 wrote to memory of 1888	1892	net.exe	77
PID 1292 wrote to memory of 1868	1292	client.exe	78
PID 1292 wrote to memory of 1868	1292	client.exe	78
PID 1292 wrote to memory of 1868	1292	client.exe	78
PID 1292 wrote to memory of 1868	1292	client.exe	78
PID 1868 wrote to memory of 1908	1868	net.exe	80
PID 1868 wrote to memory of 1908	1868	net.exe	80
PID 1868 wrote to memory of 1908	1868	net.exe	80
PID 1868 wrote to memory of 1908	1868	net.exe	80
PID 1292 wrote to memory of 1956	1292	client.exe	81
PID 1292 wrote to memory of 1956	1292	client.exe	81
PID 1292 wrote to memory of 1956	1292	client.exe	81
PID 1292 wrote to memory of 1956	1292	client.exe	81
PID 1956 wrote to memory of 1940	1956	net.exe	83
PID 1956 wrote to memory of 1940	1956	net.exe	83
PID 1956 wrote to memory of 1940	1956	net.exe	83
PID 1956 wrote to memory of 1940	1956	net.exe	83
PID 1292 wrote to memory of 1920	1292	client.exe	84
PID 1292 wrote to memory of 1920	1292	client.exe	84
PID 1292 wrote to memory of 1920	1292	client.exe	84
PID 1292 wrote to memory of 1920	1292	client.exe	84
PID 1920 wrote to memory of 2012	1920	net.exe	86
PID 1920 wrote to memory of 2012	1920	net.exe	86
PID 1920 wrote to memory of 2012	1920	net.exe	86
PID 1920 wrote to memory of 2012	1920	net.exe	86
PID 1292 wrote to memory of 1088	1292	client.exe	87
PID 1292 wrote to memory of 1088	1292	client.exe	87
PID 1292 wrote to memory of 1088	1292	client.exe	87
PID 1292 wrote to memory of 1088	1292	client.exe	87
PID 1088 wrote to memory of 1092	1088	net.exe	89
PID 1088 wrote to memory of 1092	1088	net.exe	89
PID 1088 wrote to memory of 1092	1088	net.exe	89
PID 1088 wrote to memory of 1092	1088	net.exe	89
PID 1292 wrote to memory of 988	1292	client.exe	90
PID 1292 wrote to memory of 988	1292	client.exe	90
PID 1292 wrote to memory of 988	1292	client.exe	90
PID 1292 wrote to memory of 988	1292	client.exe	90
PID 988 wrote to memory of 2028	988	net.exe	92
PID 988 wrote to memory of 2028	988	net.exe	92
PID 988 wrote to memory of 2028	988	net.exe	92
PID 988 wrote to memory of 2028	988	net.exe	92
PID 1292 wrote to memory of 2036	1292	client.exe	93
PID 1292 wrote to memory of 2036	1292	client.exe	93
PID 1292 wrote to memory of 2036	1292	client.exe	93
PID 1292 wrote to memory of 2036	1292	client.exe	93
PID 2036 wrote to memory of 1552	2036	net.exe	95
PID 2036 wrote to memory of 1552	2036	net.exe	95
PID 2036 wrote to memory of 1552	2036	net.exe	95
PID 2036 wrote to memory of 1552	2036	net.exe	95
PID 1292 wrote to memory of 1468	1292	client.exe	96
PID 1292 wrote to memory of 1468	1292	client.exe	96
PID 1292 wrote to memory of 1468	1292	client.exe	96
PID 1292 wrote to memory of 1468	1292	client.exe	96
PID 1468 wrote to memory of 1408	1468	net.exe	98
PID 1468 wrote to memory of 1408	1468	net.exe	98
PID 1468 wrote to memory of 1408	1468	net.exe	98
PID 1468 wrote to memory of 1408	1468	net.exe	98
PID 1292 wrote to memory of 1500	1292	client.exe	99
PID 1292 wrote to memory of 1500	1292	client.exe	99
PID 1292 wrote to memory of 1500	1292	client.exe	99
PID 1292 wrote to memory of 1500	1292	client.exe	99
PID 1500 wrote to memory of 1472	1500	net.exe	101
PID 1500 wrote to memory of 1472	1500	net.exe	101
PID 1500 wrote to memory of 1472	1500	net.exe	101
PID 1500 wrote to memory of 1472	1500	net.exe	101
PID 1292 wrote to memory of 1616	1292	client.exe	102
PID 1292 wrote to memory of 1616	1292	client.exe	102
PID 1292 wrote to memory of 1616	1292	client.exe	102
PID 1292 wrote to memory of 1616	1292	client.exe	102
PID 1616 wrote to memory of 800	1616	net.exe	104
PID 1616 wrote to memory of 800	1616	net.exe	104
PID 1616 wrote to memory of 800	1616	net.exe	104
PID 1616 wrote to memory of 800	1616	net.exe	104
PID 1292 wrote to memory of 324	1292	client.exe	105
PID 1292 wrote to memory of 324	1292	client.exe	105
PID 1292 wrote to memory of 324	1292	client.exe	105
PID 1292 wrote to memory of 324	1292	client.exe	105
PID 324 wrote to memory of 1036	324	net.exe	107
PID 324 wrote to memory of 1036	324	net.exe	107
PID 324 wrote to memory of 1036	324	net.exe	107
PID 324 wrote to memory of 1036	324	net.exe	107
PID 1292 wrote to memory of 1056	1292	client.exe	108
PID 1292 wrote to memory of 1056	1292	client.exe	108
PID 1292 wrote to memory of 1056	1292	client.exe	108
PID 1292 wrote to memory of 1056	1292	client.exe	108
PID 1056 wrote to memory of 1520	1056	net.exe	110
PID 1056 wrote to memory of 1520	1056	net.exe	110
PID 1056 wrote to memory of 1520	1056	net.exe	110
PID 1056 wrote to memory of 1520	1056	net.exe	110
PID 1292 wrote to memory of 1528	1292	client.exe	111
PID 1292 wrote to memory of 1528	1292	client.exe	111
PID 1292 wrote to memory of 1528	1292	client.exe	111
PID 1292 wrote to memory of 1528	1292	client.exe	111
PID 1528 wrote to memory of 1492	1528	net.exe	113
PID 1528 wrote to memory of 1492	1528	net.exe	113
PID 1528 wrote to memory of 1492	1528	net.exe	113
PID 1528 wrote to memory of 1492	1528	net.exe	113
PID 1292 wrote to memory of 1672	1292	client.exe	114
PID 1292 wrote to memory of 1672	1292	client.exe	114
PID 1292 wrote to memory of 1672	1292	client.exe	114
PID 1292 wrote to memory of 1672	1292	client.exe	114
PID 1672 wrote to memory of 1784	1672	net.exe	116
PID 1672 wrote to memory of 1784	1672	net.exe	116
PID 1672 wrote to memory of 1784	1672	net.exe	116
PID 1672 wrote to memory of 1784	1672	net.exe	116
PID 1292 wrote to memory of 1736	1292	client.exe	117
PID 1292 wrote to memory of 1736	1292	client.exe	117
PID 1292 wrote to memory of 1736	1292	client.exe	117
PID 1292 wrote to memory of 1736	1292	client.exe	117
PID 1736 wrote to memory of 1804	1736	net.exe	119
PID 1736 wrote to memory of 1804	1736	net.exe	119
PID 1736 wrote to memory of 1804	1736	net.exe	119
PID 1736 wrote to memory of 1804	1736	net.exe	119
PID 1292 wrote to memory of 1756	1292	client.exe	120
PID 1292 wrote to memory of 1756	1292	client.exe	120
PID 1292 wrote to memory of 1756	1292	client.exe	120
PID 1292 wrote to memory of 1756	1292	client.exe	120
PID 1756 wrote to memory of 320	1756	net.exe	122
PID 1756 wrote to memory of 320	1756	net.exe	122
PID 1756 wrote to memory of 320	1756	net.exe	122
PID 1756 wrote to memory of 320	1756	net.exe	122
PID 1292 wrote to memory of 768	1292	client.exe	123
PID 1292 wrote to memory of 768	1292	client.exe	123
PID 1292 wrote to memory of 768	1292	client.exe	123
PID 1292 wrote to memory of 768	1292	client.exe	123
PID 768 wrote to memory of 1212	768	net.exe	125
PID 768 wrote to memory of 1212	768	net.exe	125
PID 768 wrote to memory of 1212	768	net.exe	125
PID 768 wrote to memory of 1212	768	net.exe	125
PID 1292 wrote to memory of 692	1292	client.exe	126
PID 1292 wrote to memory of 692	1292	client.exe	126
PID 1292 wrote to memory of 692	1292	client.exe	126
PID 1292 wrote to memory of 692	1292	client.exe	126
PID 692 wrote to memory of 1512	692	net.exe	128
PID 692 wrote to memory of 1512	692	net.exe	128
PID 692 wrote to memory of 1512	692	net.exe	128
PID 692 wrote to memory of 1512	692	net.exe	128
PID 1292 wrote to memory of 1144	1292	client.exe	129
PID 1292 wrote to memory of 1144	1292	client.exe	129
PID 1292 wrote to memory of 1144	1292	client.exe	129
PID 1292 wrote to memory of 1144	1292	client.exe	129
PID 1144 wrote to memory of 1332	1144	net.exe	131
PID 1144 wrote to memory of 1332	1144	net.exe	131
PID 1144 wrote to memory of 1332	1144	net.exe	131
PID 1144 wrote to memory of 1332	1144	net.exe	131
PID 1292 wrote to memory of 568	1292	client.exe	132
PID 1292 wrote to memory of 568	1292	client.exe	132
PID 1292 wrote to memory of 568	1292	client.exe	132
PID 1292 wrote to memory of 568	1292	client.exe	132
PID 1292 wrote to memory of 1640	1292	client.exe	134
PID 1292 wrote to memory of 1640	1292	client.exe	134
PID 1292 wrote to memory of 1640	1292	client.exe	134
PID 1292 wrote to memory of 1640	1292	client.exe	134
PID 1292 wrote to memory of 1636	1292	client.exe	136
PID 1292 wrote to memory of 1636	1292	client.exe	136
PID 1292 wrote to memory of 1636	1292	client.exe	136
PID 1292 wrote to memory of 1636	1292	client.exe	136
PID 1292 wrote to memory of 1544	1292	client.exe	138
PID 1292 wrote to memory of 1544	1292	client.exe	138
PID 1292 wrote to memory of 1544	1292	client.exe	138
PID 1292 wrote to memory of 1544	1292	client.exe	138
PID 1292 wrote to memory of 1896	1292	client.exe	140
PID 1292 wrote to memory of 1896	1292	client.exe	140
PID 1292 wrote to memory of 1896	1292	client.exe	140
PID 1292 wrote to memory of 1896	1292	client.exe	140
PID 1292 wrote to memory of 1092	1292	client.exe	143
PID 1292 wrote to memory of 1092	1292	client.exe	143
PID 1292 wrote to memory of 1092	1292	client.exe	143
PID 1292 wrote to memory of 1092	1292	client.exe	143
PID 1292 wrote to memory of 1484	1292	client.exe	145
PID 1292 wrote to memory of 1484	1292	client.exe	145
PID 1292 wrote to memory of 1484	1292	client.exe	145
PID 1292 wrote to memory of 1484	1292	client.exe	145
PID 1292 wrote to memory of 1320	1292	client.exe	147
PID 1292 wrote to memory of 1320	1292	client.exe	147
PID 1292 wrote to memory of 1320	1292	client.exe	147
PID 1292 wrote to memory of 1320	1292	client.exe	147
PID 1292 wrote to memory of 1072	1292	client.exe	150
PID 1292 wrote to memory of 1072	1292	client.exe	150
PID 1292 wrote to memory of 1072	1292	client.exe	150
PID 1292 wrote to memory of 1072	1292	client.exe	150
PID 1292 wrote to memory of 1032	1292	client.exe	152
PID 1292 wrote to memory of 1032	1292	client.exe	152
PID 1292 wrote to memory of 1032	1292	client.exe	152
PID 1292 wrote to memory of 1032	1292	client.exe	152
PID 1292 wrote to memory of 1772	1292	client.exe	154
PID 1292 wrote to memory of 1772	1292	client.exe	154
PID 1292 wrote to memory of 1772	1292	client.exe	154
PID 1292 wrote to memory of 1772	1292	client.exe	154
PID 1292 wrote to memory of 1764	1292	client.exe	156
PID 1292 wrote to memory of 1764	1292	client.exe	156
PID 1292 wrote to memory of 1764	1292	client.exe	156
PID 1292 wrote to memory of 1764	1292	client.exe	156
PID 1292 wrote to memory of 1512	1292	client.exe	158
PID 1292 wrote to memory of 1512	1292	client.exe	158
PID 1292 wrote to memory of 1512	1292	client.exe	158
PID 1292 wrote to memory of 1512	1292	client.exe	158
PID 1292 wrote to memory of 1580	1292	client.exe	160
PID 1292 wrote to memory of 1580	1292	client.exe	160
PID 1292 wrote to memory of 1580	1292	client.exe	160
PID 1292 wrote to memory of 1580	1292	client.exe	160
PID 1292 wrote to memory of 1540	1292	client.exe	162
PID 1292 wrote to memory of 1540	1292	client.exe	162
PID 1292 wrote to memory of 1540	1292	client.exe	162
PID 1292 wrote to memory of 1540	1292	client.exe	162
PID 1292 wrote to memory of 1944	1292	client.exe	164
PID 1292 wrote to memory of 1944	1292	client.exe	164
PID 1292 wrote to memory of 1944	1292	client.exe	164
PID 1292 wrote to memory of 1944	1292	client.exe	164
PID 1292 wrote to memory of 2040	1292	client.exe	166
PID 1292 wrote to memory of 2040	1292	client.exe	166
PID 1292 wrote to memory of 2040	1292	client.exe	166
PID 1292 wrote to memory of 2040	1292	client.exe	166
PID 1292 wrote to memory of 1408	1292	client.exe	168
PID 1292 wrote to memory of 1408	1292	client.exe	168
PID 1292 wrote to memory of 1408	1292	client.exe	168
PID 1292 wrote to memory of 1408	1292	client.exe	168
PID 1292 wrote to memory of 1504	1292	client.exe	170
PID 1292 wrote to memory of 1504	1292	client.exe	170
PID 1292 wrote to memory of 1504	1292	client.exe	170
PID 1292 wrote to memory of 1504	1292	client.exe	170
PID 1292 wrote to memory of 1336	1292	client.exe	172
PID 1292 wrote to memory of 1336	1292	client.exe	172
PID 1292 wrote to memory of 1336	1292	client.exe	172
PID 1292 wrote to memory of 1336	1292	client.exe	172
PID 1292 wrote to memory of 1784	1292	client.exe	174
PID 1292 wrote to memory of 1784	1292	client.exe	174
PID 1292 wrote to memory of 1784	1292	client.exe	174
PID 1292 wrote to memory of 1784	1292	client.exe	174
PID 1292 wrote to memory of 656	1292	client.exe	176
PID 1292 wrote to memory of 656	1292	client.exe	176
PID 1292 wrote to memory of 656	1292	client.exe	176
PID 1292 wrote to memory of 656	1292	client.exe	176
PID 1292 wrote to memory of 1792	1292	client.exe	184
PID 1292 wrote to memory of 1792	1292	client.exe	184
PID 1292 wrote to memory of 1792	1292	client.exe	184
PID 1292 wrote to memory of 1792	1292	client.exe	184
PID 1292 wrote to memory of 1744	1292	client.exe	185
PID 1292 wrote to memory of 1744	1292	client.exe	185
PID 1292 wrote to memory of 1744	1292	client.exe	185
PID 1292 wrote to memory of 1744	1292	client.exe	185

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1292	client.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1292	client.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	1292	WerFault.exe	23

Kills process with taskkill 3 IoCs

evasion

pid	Process
1896	taskkill.exe
1092	taskkill.exe
1484	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1792	notepad.exe

Runs net.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1772	vssadmin.exe
1764	vssadmin.exe
1072	vssadmin.exe
1540	vssadmin.exe
2040	vssadmin.exe
1336	vssadmin.exe
1784	vssadmin.exe
1320	vssadmin.exe
1032	vssadmin.exe
1512	vssadmin.exe
1580	vssadmin.exe
1944	vssadmin.exe
1408	vssadmin.exe
1504	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	client.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeBackupPrivilege	756	vssvc.exe
Token: SeRestorePrivilege	756	vssvc.exe
Token: SeAuditPrivilege	756	vssvc.exe
Token: SeDebugPrivilege	1744	WerFault.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
PID:1292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:1412
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1560
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:900
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1064
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:1520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:1356
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:1796
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:1780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:1760
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:768
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:648
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:824
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:1592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:1648
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:1576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:1888
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:1908
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:1940
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:2012
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:1092
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:1552
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:1408
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1472
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:1036
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:1056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:1520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:1492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:1784
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:1804
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:1212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:1512
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:1332
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:568
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1640
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1636
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1320
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1072
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1032
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1772
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1764
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1512
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1580
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1540
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1944
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2040
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1408
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1504
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1336
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1784
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:656
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 604
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-1-0x0000000001E10000-0x0000000001E21000-memory.dmp

Filesize
68KB

Download
memory/1744-2-0x00000000026E0000-0x00000000026F1000-memory.dmp

Filesize
68KB

Download