hakbit | 10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5

General

Target

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
Size

61KB
MD5

2a66b3b2638dfc5dfcf8aaf825993269
SHA1

4e04822d6b8c3087be0550dba96f0c80d84359f8
SHA256

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
SHA512

1d63645dc8564057367ed295cb56b0aebdb071b652786d67ae2d9fc0371a034231ace703001bc353b303000fde0c6f9774a120ace83b665964278f8e7127c435

Score

10^/10

hakbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ MP20BmgzYCXvImRatoGL+q+WvgnrNvM4H7wmIZQet5imyu8Lk6Ps0IgChbYpAvcV1LlaXRk5l4NIStrUFPszW/5lTfH2CIdAz7VSA/eVWg3qkxG+0hURjLNCnBqJt4WPmQsG4h9VzYPWBCiFOZ7+Gva1ailSHx0Itu2oKOjH4fQbkklXqeVC/FCc3QduTj0MrPgjnK20NYBtqP5DkV5d7jnXNU+eAasZXS0fN3zBariWU8D+BdoQlE/zHz0XseJv3gY47A+4qsGwBp8WxWhr/ICtnISf3luOQ9xjEt1e+TRIAKH7B+OGpbVCexLIy3v/6B59UzAUOJ+zPY/ECxSHQw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Emails

torsec1@secmail.pro

agarrard@protonmail.com

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\OpenGet.tiff	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
File created	C:\Users\Admin\Pictures\SelectClose.tiff.crypted	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SelectClose.tiff	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
File created	C:\Users\Admin\Pictures\RestartApprove.raw.crypted	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
File created	C:\Users\Admin\Pictures\OpenGet.tiff.crypted	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1892 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1892	cmd.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
604	vssadmin.exe
1740	vssadmin.exe
1800	vssadmin.exe
1860	vssadmin.exe
1380	vssadmin.exe
216	vssadmin.exe
1020	vssadmin.exe
1608	vssadmin.exe
1420	vssadmin.exe
1988	vssadmin.exe
208	vssadmin.exe
1808	vssadmin.exe
1580	vssadmin.exe
936	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1636 taskkill.exe
1876 taskkill.exe
1796 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1500 notepad.exe
Runs net.exe

pid	process
1636	taskkill.exe
1876	taskkill.exe
1796	taskkill.exe

pid	process
1500	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe

pid	process
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeBackupPrivilege	1628	vssvc.exe
Token: SeRestorePrivilege	1628	vssvc.exe
Token: SeAuditPrivilege	1628	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1844 wrote to memory of 1176	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1176	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1176	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1176 wrote to memory of 1972	1176	net.exe	net1.exe
PID 1176 wrote to memory of 1972	1176	net.exe	net1.exe
PID 1176 wrote to memory of 1972	1176	net.exe	net1.exe
PID 1844 wrote to memory of 1848	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1848	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1848	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1848 wrote to memory of 1832	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1832	1848	net.exe	net1.exe
PID 1848 wrote to memory of 1832	1848	net.exe	net1.exe
PID 1844 wrote to memory of 1792	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1792	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1792	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1792 wrote to memory of 1880	1792	net.exe	net1.exe
PID 1792 wrote to memory of 1880	1792	net.exe	net1.exe
PID 1792 wrote to memory of 1880	1792	net.exe	net1.exe
PID 1844 wrote to memory of 1764	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1764	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1764	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1764 wrote to memory of 604	1764	net.exe	net1.exe
PID 1764 wrote to memory of 604	1764	net.exe	net1.exe
PID 1764 wrote to memory of 604	1764	net.exe	net1.exe
PID 1844 wrote to memory of 1384	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1384	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1844 wrote to memory of 1384	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	net.exe
PID 1384 wrote to memory of 1532	1384	net.exe	net1.exe
PID 1384 wrote to memory of 1532	1384	net.exe	net1.exe
PID 1384 wrote to memory of 1532	1384	net.exe	net1.exe
PID 1844 wrote to memory of 1624	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1624	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1624	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1520	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1520	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1520	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1588	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1588	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1588	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1108	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1108	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1108	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	sc.exe
PID 1844 wrote to memory of 1636	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1636	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1636	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1876	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1876	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1876	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1796	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1796	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1796	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	taskkill.exe
PID 1844 wrote to memory of 1420	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1420	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1420	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1020	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1020	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1020	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1988	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1988	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1988	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1860	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1860	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1860	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe
PID 1844 wrote to memory of 1380	1844	10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
"C:\Users\Admin\AppData\Local\Temp\10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:1972

C:\Windows\system32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:1832

C:\Windows\system32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:1880

C:\Windows\system32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:604

C:\Windows\system32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:1532

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:1624

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1520

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1588

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:1108

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1420

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1020

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1988

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1860

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1380

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1608

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:216

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:604

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1740

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1808

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1580

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:208

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:936

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1800

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:1492

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample.exe
2⤵
- Deletes itself
PID:1892

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
MD5
c407b7a7fc978016e6cdf1780c7eda34

SHA1
02f324fe9bc35e7ce9e0c1c7f7207be9719327e1

SHA256
7bdca4dd4af4b4771893b4ecf987d78f4819bf623816dfd527f65cbb92258bba

SHA512
89e68203ff099aa1af4ab88ebef6d1b0f3c7f2194f649e77b8633a194865ebe0760ad38ad0d2f108f38f8c1ffe6694dbcf9f12d772fec30fc02893a619f21f6e

Download Submit
memory/208-91-0x0000000000000000-mapping.dmp

Download
memory/216-86-0x0000000000000000-mapping.dmp

Download
memory/604-87-0x0000000000000000-mapping.dmp

Download
memory/604-70-0x0000000000000000-mapping.dmp

Download
memory/936-92-0x0000000000000000-mapping.dmp

Download
memory/1020-81-0x0000000000000000-mapping.dmp

Download
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1176-63-0x0000000000000000-mapping.dmp

Download
memory/1380-84-0x0000000000000000-mapping.dmp

Download
memory/1384-71-0x0000000000000000-mapping.dmp

Download
memory/1420-80-0x0000000000000000-mapping.dmp

Download
memory/1492-94-0x0000000000000000-mapping.dmp

Download
memory/1500-95-0x0000000000000000-mapping.dmp

Download
memory/1500-96-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1520-74-0x0000000000000000-mapping.dmp

Download
memory/1532-72-0x0000000000000000-mapping.dmp

Download
memory/1580-90-0x0000000000000000-mapping.dmp

Download
memory/1588-75-0x0000000000000000-mapping.dmp

Download
memory/1608-85-0x0000000000000000-mapping.dmp

Download
memory/1624-73-0x0000000000000000-mapping.dmp

Download
memory/1636-77-0x0000000000000000-mapping.dmp

Download
memory/1740-88-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000000000000-mapping.dmp

Download
memory/1780-99-0x0000000000000000-mapping.dmp

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1796-79-0x0000000000000000-mapping.dmp

Download
memory/1800-93-0x0000000000000000-mapping.dmp

Download
memory/1808-89-0x0000000000000000-mapping.dmp

Download
memory/1832-66-0x0000000000000000-mapping.dmp

Download
memory/1844-60-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1844-62-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/1848-65-0x0000000000000000-mapping.dmp

Download
memory/1860-83-0x0000000000000000-mapping.dmp

Download
memory/1876-78-0x0000000000000000-mapping.dmp

Download
memory/1880-68-0x0000000000000000-mapping.dmp

Download
memory/1892-97-0x0000000000000000-mapping.dmp

Download
memory/1972-64-0x0000000000000000-mapping.dmp

Download
memory/1988-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads