hakbit | d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Analysis

max time kernel
1788s
max time network
1786s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Score

10^/10

hakbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: AurLkNjAgbjanuDB/60MzNmn2c/YqPxL1asGmTG80+NCkBjZ2vXLtGUaqQTTP4IPFTyMtTI85kPMGqZ/X2wFDQUfMrKg9pzhk6mXJw7UibHl+wzHclZTbOUc16lkPinb5sMOtFkvKTS73MC5d733N7iTAyBf/D9rfqIO4VqVd5YdAeNOMw/IRvn3ifZyNPWHYKDhT/1C86gRrumhYZJkF2sbHd3CM1dpUlMDWIMSs8K16e7A1Ra2tzfbjg8z305vg7X+4IwTBnu1Sbm5YstbWZBB3k7OOlLLCH/y5+kXRi+xIKzFPBflFwlg4MKqqNj/UO2s26NWfMeqouuF9mxV1MgEEGESP9btTLyX+1xJZLY/W+OF14R3JBbqbw7G2e8j8EPB0wTgYnTmejhJUAcSTJJ/AIQrqPpCk/XgHDxzITuUEgDivP8jGIFha42gO3tXAeAQ/2sfD/wuomlDT8UGSHIgoG7Cq3RrHJDL/8yzJQrXN/H4450nuoU1CgMTRaIFgqKIZb/FeIr9jIsi/0CK/MH+QDaRvLAr+2Dfkje7UcxAa02dHx1jXc7VOFqAKdghfecAok9OWsnUjnnStgY/cxzi9uHySdRkRO2WUYcIhpvMCIJLJec3OJD0x5ip0Z6d7gI+kg3vyp2iLyQ4/QpZdERb1+uoqU+aLPywnlPJDbw= Number of files that were processed is: 1274

Emails

[email protected]

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\OutUse.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
File opened for modification	C:\Users\Admin\Pictures\RepairMount.tiff	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Drops startup file 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4868	taskkill.exe
2896	taskkill.exe
1268	taskkill.exe
4044	taskkill.exe
2104	taskkill.exe
4196	taskkill.exe
4300	taskkill.exe
2292	taskkill.exe
2972	taskkill.exe
4048	taskkill.exe
5076	taskkill.exe
3976	taskkill.exe
2456	taskkill.exe
4504	taskkill.exe
4548	taskkill.exe
4600	taskkill.exe
4632	taskkill.exe
4348	taskkill.exe
5004	taskkill.exe
3196	taskkill.exe
1344	taskkill.exe
2312	taskkill.exe
2844	taskkill.exe
4084	taskkill.exe
4240	taskkill.exe
4268	taskkill.exe
5584	taskkill.exe
3428	taskkill.exe
5596	taskkill.exe
3184	taskkill.exe
4116	taskkill.exe
4384	taskkill.exe
4428	taskkill.exe
4692	taskkill.exe
4784	taskkill.exe
3920	taskkill.exe
4260	taskkill.exe
4936	taskkill.exe
4256	taskkill.exe
1476	taskkill.exe
4716	taskkill.exe
4756	taskkill.exe
4964	taskkill.exe
200	taskkill.exe
2248	taskkill.exe
3384	taskkill.exe
2364	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

5416 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4840 PING.EXE

pid	process
5416	notepad.exe

pid	process
4840	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	200	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	5596	taskkill.exe
Token: SeDebugPrivilege	5584	taskkill.exe
Token: SeDebugPrivilege	5688	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

828 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

828 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	pid	process	target process
PID 828 wrote to memory of 3820	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 3820	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 2932	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 828 wrote to memory of 2932	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 828 wrote to memory of 1696	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 1696	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 3428	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 3428	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 2960	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 2960	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 828 wrote to memory of 200	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 200	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 1476	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 1476	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3196	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3196	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 1344	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 1344	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2248	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2248	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2292	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2292	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2312	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2312	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3384	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3384	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3976	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3976	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2364	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2364	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2896	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2896	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3184	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3184	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3920	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 3920	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2844	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2844	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2972	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2972	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4084	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4084	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 1268	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 1268	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2456	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2456	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4044	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4044	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4048	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4048	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2104	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 2104	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4116	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4116	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4196	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4196	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4240	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4240	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4260	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4260	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4300	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4300	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4348	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 828 wrote to memory of 4348	828	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:2932
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1696
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:3428
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:2960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5416
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5116
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:4840
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:5004
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Download Submit
memory/200-8-0x0000000000000000-mapping.dmp

Download
memory/828-1-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/828-0-0x00007FFAEEEE0000-0x00007FFAEF8CC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-24-0x0000000000000000-mapping.dmp

Download
memory/1344-11-0x0000000000000000-mapping.dmp

Download
memory/1476-9-0x0000000000000000-mapping.dmp

Download
memory/1696-5-0x0000000000000000-mapping.dmp

Download
memory/2104-28-0x0000000000000000-mapping.dmp

Download
memory/2248-12-0x0000000000000000-mapping.dmp

Download
memory/2292-13-0x0000000000000000-mapping.dmp

Download
memory/2312-14-0x0000000000000000-mapping.dmp

Download
memory/2364-17-0x0000000000000000-mapping.dmp

Download
memory/2456-25-0x0000000000000000-mapping.dmp

Download
memory/2844-21-0x0000000000000000-mapping.dmp

Download
memory/2896-18-0x0000000000000000-mapping.dmp

Download
memory/2932-4-0x0000000000000000-mapping.dmp

Download
memory/2960-7-0x0000000000000000-mapping.dmp

Download
memory/2972-22-0x0000000000000000-mapping.dmp

Download
memory/3184-19-0x0000000000000000-mapping.dmp

Download
memory/3196-10-0x0000000000000000-mapping.dmp

Download
memory/3384-15-0x0000000000000000-mapping.dmp

Download
memory/3428-50-0x0000000000000000-mapping.dmp

Download
memory/3428-6-0x0000000000000000-mapping.dmp

Download
memory/3820-3-0x0000000000000000-mapping.dmp

Download
memory/3920-20-0x0000000000000000-mapping.dmp

Download
memory/3976-16-0x0000000000000000-mapping.dmp

Download
memory/4044-26-0x0000000000000000-mapping.dmp

Download
memory/4048-27-0x0000000000000000-mapping.dmp

Download
memory/4084-23-0x0000000000000000-mapping.dmp

Download
memory/4116-29-0x0000000000000000-mapping.dmp

Download
memory/4196-30-0x0000000000000000-mapping.dmp

Download
memory/4240-31-0x0000000000000000-mapping.dmp

Download
memory/4256-51-0x0000000000000000-mapping.dmp

Download
memory/4260-32-0x0000000000000000-mapping.dmp

Download
memory/4268-52-0x0000000000000000-mapping.dmp

Download
memory/4300-33-0x0000000000000000-mapping.dmp

Download
memory/4348-34-0x0000000000000000-mapping.dmp

Download
memory/4352-67-0x0000000000000000-mapping.dmp

Download
memory/4384-35-0x0000000000000000-mapping.dmp

Download
memory/4428-36-0x0000000000000000-mapping.dmp

Download
memory/4504-37-0x0000000000000000-mapping.dmp

Download
memory/4548-38-0x0000000000000000-mapping.dmp

Download
memory/4600-39-0x0000000000000000-mapping.dmp

Download
memory/4632-40-0x0000000000000000-mapping.dmp

Download
memory/4692-41-0x0000000000000000-mapping.dmp

Download
memory/4716-42-0x0000000000000000-mapping.dmp

Download
memory/4756-43-0x0000000000000000-mapping.dmp

Download
memory/4784-44-0x0000000000000000-mapping.dmp

Download
memory/4840-64-0x0000000000000000-mapping.dmp

Download
memory/4868-45-0x0000000000000000-mapping.dmp

Download
memory/4936-46-0x0000000000000000-mapping.dmp

Download
memory/4964-47-0x0000000000000000-mapping.dmp

Download
memory/5004-48-0x0000000000000000-mapping.dmp

Download
memory/5004-63-0x0000000000000000-mapping.dmp

Download
memory/5076-49-0x0000000000000000-mapping.dmp

Download
memory/5116-62-0x0000000000000000-mapping.dmp

Download
memory/5416-61-0x0000000000000000-mapping.dmp

Download
memory/5584-53-0x0000000000000000-mapping.dmp

Download
memory/5596-54-0x0000000000000000-mapping.dmp

Download
memory/5688-58-0x000001D6EE320000-0x000001D6EE321000-memory.dmp

Filesize
4KB

Download
memory/5688-57-0x000001D6EE170000-0x000001D6EE171000-memory.dmp

Filesize
4KB

Download
memory/5688-56-0x00007FFAEEEE0000-0x00007FFAEF8CC000-memory.dmp

Filesize
9.9MB

Download
memory/5688-55-0x0000000000000000-mapping.dmp

Download
memory/6328-65-0x0000000000000000-mapping.dmp

Download