hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

To recover your data contact the email below [email protected] Key Identifier: oXDGKQK45IR5DjQ7fqtBGO8nBjmz9kOrbn2wtKMU/UeKZv0atyEJ6RZxPHpG9nbHu2NGCX+2HM74L5ypLubectZpjfoeR6qkCU1CSGblmAonaWgskRIjRylm2/JTFPh6I5qDpyNT9DceakbVn2BUfljaPrHoyNKTGcMsFqEqi/y5NB3i7211ksgJi3K9u5LCvsIcWqW8PvgNy0Ah+QPo/PMDGEESCWxlwApisTVcPjUd2UOTR0DhvT54wCET5inxnbxTSBTuZfUjIi2Y6jbKkL/hRiK4nApLH8T+oTy5gFZaVbU8UNnoGY8weQZmLQrxO4YPYiRUkB/v9Hy2gAEf9Xa5bxLeH56XuoGBZgPtrnC0L4yTemHofZwwCK5SipB0NPEnv6mU07cKQtlBlUy1Y04eEsvK6BPnaz+J3whD2KH7xOL51D/Q5TKhavcv4gPF/9dcTTBgC8j3IHHXLdWSoNmtd5+VCWKZF77+dDl2EHsKsdXFay40pmGqlbmMcwO3qtxo4b3Yg3doocsv6h+rfm/QgG7ciNuVZpo1ybx58FTWH9XgaHAwqH+CEaverTzy7/G2QNIqY8qrhzyUagDT7oLf5k4fe1p1rU9CM6oVhjV+EiMtE4HecN5UmVsps9jBD1XRfYaGe7MD3BUQ6Wu5hbanfu8fXcx08sVyHeUBOW0= Number of files that were processed is: 1231

Emails

[email protected]

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EnterApprove.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

pid	Process
724	taskkill.exe
2040	taskkill.exe
3800	taskkill.exe
1676	taskkill.exe
4736	taskkill.exe
3192	taskkill.exe
616	taskkill.exe
4200	taskkill.exe
4348	taskkill.exe
980	taskkill.exe
4552	taskkill.exe
4152	taskkill.exe
4292	taskkill.exe
4468	taskkill.exe
2784	taskkill.exe
1804	taskkill.exe
2004	taskkill.exe
1392	taskkill.exe
2788	taskkill.exe
4308	taskkill.exe
3860	taskkill.exe
1104	taskkill.exe
200	taskkill.exe
4456	taskkill.exe
2792	taskkill.exe
3220	taskkill.exe
4624	taskkill.exe
3644	taskkill.exe
4460	taskkill.exe
3816	taskkill.exe
4680	taskkill.exe
3948	taskkill.exe
652	taskkill.exe
1608	taskkill.exe
1092	taskkill.exe
2268	taskkill.exe
5040	taskkill.exe
4220	taskkill.exe
420	taskkill.exe
4196	taskkill.exe
2456	taskkill.exe
5112	taskkill.exe
4204	taskkill.exe
2960	taskkill.exe
4752	taskkill.exe
3712	taskkill.exe
3624	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4528	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	200	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	3544	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4528	notepad.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 5104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	72
PID 4764 wrote to memory of 5104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	72
PID 4764 wrote to memory of 3008	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	74
PID 4764 wrote to memory of 3008	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	74
PID 4764 wrote to memory of 972	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	75
PID 4764 wrote to memory of 972	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	75
PID 4764 wrote to memory of 988	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	77
PID 4764 wrote to memory of 988	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	77
PID 4764 wrote to memory of 3544	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 4764 wrote to memory of 3544	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 4764 wrote to memory of 420	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 4764 wrote to memory of 420	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 4764 wrote to memory of 2792	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 4764 wrote to memory of 2792	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 4764 wrote to memory of 724	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 4764 wrote to memory of 724	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 4764 wrote to memory of 4308	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4764 wrote to memory of 4308	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4764 wrote to memory of 3220	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4764 wrote to memory of 3220	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4764 wrote to memory of 3860	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4764 wrote to memory of 3860	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4764 wrote to memory of 4200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4764 wrote to memory of 4200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4764 wrote to memory of 4196	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4764 wrote to memory of 4196	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4764 wrote to memory of 4348	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4764 wrote to memory of 4348	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4764 wrote to memory of 652	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4764 wrote to memory of 652	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4764 wrote to memory of 980	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 4764 wrote to memory of 980	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 4764 wrote to memory of 1104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 4764 wrote to memory of 1104	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 4764 wrote to memory of 1608	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 4764 wrote to memory of 1608	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 4764 wrote to memory of 1804	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 4764 wrote to memory of 1804	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 4764 wrote to memory of 1092	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 4764 wrote to memory of 1092	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 4764 wrote to memory of 2268	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 4764 wrote to memory of 2268	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 4764 wrote to memory of 2456	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 4764 wrote to memory of 2456	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 4764 wrote to memory of 2960	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 4764 wrote to memory of 2960	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 4764 wrote to memory of 4460	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 4764 wrote to memory of 4460	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 4764 wrote to memory of 2004	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 4764 wrote to memory of 2004	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 4764 wrote to memory of 4552	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 4764 wrote to memory of 4552	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 4764 wrote to memory of 4624	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 4764 wrote to memory of 4624	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 4764 wrote to memory of 3644	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 4764 wrote to memory of 3644	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 4764 wrote to memory of 4752	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 4764 wrote to memory of 4752	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 4764 wrote to memory of 4736	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 4764 wrote to memory of 4736	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 4764 wrote to memory of 200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 4764 wrote to memory of 200	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 4764 wrote to memory of 3816	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	135
PID 4764 wrote to memory of 3816	4764	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	135

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:5104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3008
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:972
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:988
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4552
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:4528
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:616
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3336
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:4204
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3544-56-0x00007FF9427B0000-0x00007FF94319C000-memory.dmp

Filesize
9.9MB

Download
memory/3544-57-0x000002B679AD0000-0x000002B679AD1000-memory.dmp

Filesize
4KB

Download
memory/3544-58-0x000002B679C80000-0x000002B679C81000-memory.dmp

Filesize
4KB

Download
memory/4764-0-0x00007FF9427B0000-0x00007FF94319C000-memory.dmp

Filesize
9.9MB

Download
memory/4764-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download