Analysis
-
max time kernel
127s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:50
Static task
static1
Behavioral task
behavioral1
Sample
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe
Resource
win10v20201028
General
-
Target
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe
-
Size
423KB
-
MD5
055c2fba242d03ae153be4a796c55ae2
-
SHA1
be71b94e30d5465d8b72e1fc7c0137024f97baee
-
SHA256
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
-
SHA512
20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
daaaataaaaa@protonmail.com
1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exedescription ioc process File created C:\Users\Admin\Pictures\RevokeMove.png.crypted 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe File created C:\Users\Admin\Pictures\AddProtect.raw.crypted 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe File created C:\Users\Admin\Pictures\ExitEnable.raw.crypted 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop..." 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Atention..." 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2152 vssadmin.exe 2544 vssadmin.exe 2476 vssadmin.exe 1504 vssadmin.exe 1096 vssadmin.exe 4312 vssadmin.exe 4016 vssadmin.exe 2596 vssadmin.exe 192 vssadmin.exe 4668 vssadmin.exe 2720 vssadmin.exe 3644 vssadmin.exe 3364 vssadmin.exe 2548 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1316 taskkill.exe 1780 taskkill.exe 4428 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1372 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exepid process 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeBackupPrivilege 4544 vssvc.exe Token: SeRestorePrivilege 4544 vssvc.exe Token: SeAuditPrivilege 4544 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exepid process 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exepid process 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 4772 wrote to memory of 3484 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4772 wrote to memory of 3484 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 3484 wrote to memory of 416 3484 net.exe net1.exe PID 3484 wrote to memory of 416 3484 net.exe net1.exe PID 4772 wrote to memory of 744 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4772 wrote to memory of 744 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 744 wrote to memory of 4244 744 net.exe net1.exe PID 744 wrote to memory of 4244 744 net.exe net1.exe PID 4772 wrote to memory of 4400 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4772 wrote to memory of 4400 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4400 wrote to memory of 3848 4400 net.exe net1.exe PID 4400 wrote to memory of 3848 4400 net.exe net1.exe PID 4772 wrote to memory of 4068 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4772 wrote to memory of 4068 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4068 wrote to memory of 4176 4068 net.exe net1.exe PID 4068 wrote to memory of 4176 4068 net.exe net1.exe PID 4772 wrote to memory of 4204 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4772 wrote to memory of 4204 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe net.exe PID 4204 wrote to memory of 4336 4204 net.exe net1.exe PID 4204 wrote to memory of 4336 4204 net.exe net1.exe PID 4772 wrote to memory of 420 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 420 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 808 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 808 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 352 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 352 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 1120 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 1120 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe sc.exe PID 4772 wrote to memory of 1316 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe taskkill.exe PID 4772 wrote to memory of 1316 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe taskkill.exe PID 4772 wrote to memory of 1780 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe taskkill.exe PID 4772 wrote to memory of 1780 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe taskkill.exe PID 4772 wrote to memory of 4428 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe taskkill.exe PID 4772 wrote to memory of 4428 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe taskkill.exe PID 4772 wrote to memory of 4016 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 4016 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2152 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2152 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2720 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2720 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 3644 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 3644 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2596 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2596 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2544 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2544 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 192 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 192 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2476 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2476 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 1504 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 1504 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 1096 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 1096 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 4668 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 4668 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 3364 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 3364 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2548 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 2548 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 4312 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 4312 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe vssadmin.exe PID 4772 wrote to memory of 1372 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe notepad.exe PID 4772 wrote to memory of 1372 4772 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe"C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe"1⤵
- Modifies extensions of user files
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtMD5
c3d7ad70d1db9656197cee62e76604fe
SHA1b3cf90792c300abc1a0a0bca43147a62bda2905d
SHA256e19ed60af8e949958b60caf007c5d0f29d9e35387e0149196fbb7737cafe60cd
SHA512d4fb9ea7ff4568732989f52a4ed3b7a927c6b717992d70cdb919b243701e6535dd6e50e695fecb147692835dc0900cdef9dbd9dbb22a03163b7038880bc52174
-
memory/192-26-0x0000000000000000-mapping.dmp
-
memory/352-15-0x0000000000000000-mapping.dmp
-
memory/416-4-0x0000000000000000-mapping.dmp
-
memory/420-13-0x0000000000000000-mapping.dmp
-
memory/744-5-0x0000000000000000-mapping.dmp
-
memory/808-14-0x0000000000000000-mapping.dmp
-
memory/1096-29-0x0000000000000000-mapping.dmp
-
memory/1120-16-0x0000000000000000-mapping.dmp
-
memory/1316-17-0x0000000000000000-mapping.dmp
-
memory/1372-34-0x0000000000000000-mapping.dmp
-
memory/1504-28-0x0000000000000000-mapping.dmp
-
memory/1780-18-0x0000000000000000-mapping.dmp
-
memory/2152-21-0x0000000000000000-mapping.dmp
-
memory/2476-27-0x0000000000000000-mapping.dmp
-
memory/2544-25-0x0000000000000000-mapping.dmp
-
memory/2548-32-0x0000000000000000-mapping.dmp
-
memory/2596-24-0x0000000000000000-mapping.dmp
-
memory/2720-22-0x0000000000000000-mapping.dmp
-
memory/3364-31-0x0000000000000000-mapping.dmp
-
memory/3484-3-0x0000000000000000-mapping.dmp
-
memory/3644-23-0x0000000000000000-mapping.dmp
-
memory/3848-8-0x0000000000000000-mapping.dmp
-
memory/4016-20-0x0000000000000000-mapping.dmp
-
memory/4052-36-0x0000000000000000-mapping.dmp
-
memory/4068-9-0x0000000000000000-mapping.dmp
-
memory/4176-10-0x0000000000000000-mapping.dmp
-
memory/4204-11-0x0000000000000000-mapping.dmp
-
memory/4244-6-0x0000000000000000-mapping.dmp
-
memory/4312-33-0x0000000000000000-mapping.dmp
-
memory/4336-12-0x0000000000000000-mapping.dmp
-
memory/4400-7-0x0000000000000000-mapping.dmp
-
memory/4424-37-0x0000000000000000-mapping.dmp
-
memory/4428-19-0x0000000000000000-mapping.dmp
-
memory/4668-30-0x0000000000000000-mapping.dmp
-
memory/4772-0-0x00007FFF465C0000-0x00007FFF46FAC000-memory.dmpFilesize
9.9MB
-
memory/4772-1-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB