hakbit | befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
31-01-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Size

256KB
MD5

070940acdcf608923d044edc79ba4121
SHA1

5b1d1de92d8b8163ac70281d6afa3113d0f86362
SHA256

befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
SHA512

41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180

Score

10^/10

hakbit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 1 Bitcoin and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: [email protected]. Bitcoin wallet to make the transfer to is: 1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Dt6vG8qQcMWdgEueBM7AfDdoUEbwefKWi0F6Ot5Atd3g8LxCGEJQPJvb5yIHO9peq1slR/Qhf9CztRDZTbfol4b3uWoM3/XznS+wbEE+50BQDgy9xyMx0IjGFHRg51eFYOM5P8+NcewhVwu3es5A0LLdPjepV1FVfJpUmdeXWWgXo6g6QQtzbaJ39ajk/V0tVH+qZ95QAeKGVk5AgQjLBuv6jssKrqdxMTvpp6NNeNeGgMFqdbCGPiOgHLdY4L3JYu9BEPjX/hL+qtclYIIicZG8efXWOmOgfBsprMfFFT1O/TQ7ocKXCNLoS8psBhFPA+sce+YrFwPbuhHB4AIYkA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Emails

[email protected]

Wallets

1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ReadOut.tiff.part => C:\Users\Admin\Pictures\ReadOut.tiff	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\ConnectClear.tiff.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File renamed	C:\Users\Admin\Pictures\ConnectClear.tiff.part => C:\Users\Admin\Pictures\ConnectClear.tiff	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File opened for modification	C:\Users\Admin\Pictures\ReadOut.tiff	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectClear.tiff	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\ReadOut.tiff.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\CompleteRename.png.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\JoinSave.png.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
File created	C:\Users\Admin\Pictures\ProtectExit.png.part	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1316	vssadmin.exe
3616	vssadmin.exe
1952	vssadmin.exe
1532	vssadmin.exe
2992	vssadmin.exe
3876	vssadmin.exe
2600	vssadmin.exe
2944	vssadmin.exe
3360	vssadmin.exe
3432	vssadmin.exe
552	vssadmin.exe
1688	vssadmin.exe
2540	vssadmin.exe
2508	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1544	taskkill.exe
1940	taskkill.exe
1772	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3956	notepad.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeBackupPrivilege	3464	vssvc.exe
Token: SeRestorePrivilege	3464	vssvc.exe
Token: SeAuditPrivilege	3464	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3148	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	52
PID 1356 wrote to memory of 3148	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	52
PID 3148 wrote to memory of 1816	3148	net.exe	54
PID 3148 wrote to memory of 1816	3148	net.exe	54
PID 1356 wrote to memory of 1764	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	55
PID 1356 wrote to memory of 1764	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	55
PID 1764 wrote to memory of 3592	1764	net.exe	57
PID 1764 wrote to memory of 3592	1764	net.exe	57
PID 1356 wrote to memory of 2768	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	58
PID 1356 wrote to memory of 2768	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	58
PID 2768 wrote to memory of 3528	2768	net.exe	60
PID 2768 wrote to memory of 3528	2768	net.exe	60
PID 1356 wrote to memory of 3872	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	61
PID 1356 wrote to memory of 3872	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	61
PID 3872 wrote to memory of 4056	3872	net.exe	63
PID 3872 wrote to memory of 4056	3872	net.exe	63
PID 1356 wrote to memory of 3688	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	64
PID 1356 wrote to memory of 3688	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	64
PID 3688 wrote to memory of 2872	3688	net.exe	68
PID 3688 wrote to memory of 2872	3688	net.exe	68
PID 1356 wrote to memory of 2808	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	67
PID 1356 wrote to memory of 2808	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	67
PID 1356 wrote to memory of 3740	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	69
PID 1356 wrote to memory of 3740	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	69
PID 1356 wrote to memory of 1904	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	71
PID 1356 wrote to memory of 1904	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	71
PID 1356 wrote to memory of 3516	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	73
PID 1356 wrote to memory of 3516	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	73
PID 1356 wrote to memory of 1544	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	75
PID 1356 wrote to memory of 1544	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	75
PID 1356 wrote to memory of 1940	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	78
PID 1356 wrote to memory of 1940	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	78
PID 1356 wrote to memory of 1772	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	80
PID 1356 wrote to memory of 1772	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	80
PID 1356 wrote to memory of 1688	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	82
PID 1356 wrote to memory of 1688	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	82
PID 1356 wrote to memory of 2944	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	86
PID 1356 wrote to memory of 2944	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	86
PID 1356 wrote to memory of 1316	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	88
PID 1356 wrote to memory of 1316	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	88
PID 1356 wrote to memory of 3616	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	90
PID 1356 wrote to memory of 3616	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	90
PID 1356 wrote to memory of 3360	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	92
PID 1356 wrote to memory of 3360	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	92
PID 1356 wrote to memory of 1952	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	94
PID 1356 wrote to memory of 1952	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	94
PID 1356 wrote to memory of 2540	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	96
PID 1356 wrote to memory of 2540	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	96
PID 1356 wrote to memory of 1532	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	98
PID 1356 wrote to memory of 1532	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	98
PID 1356 wrote to memory of 3432	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	100
PID 1356 wrote to memory of 3432	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	100
PID 1356 wrote to memory of 552	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	102
PID 1356 wrote to memory of 552	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	102
PID 1356 wrote to memory of 2992	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	104
PID 1356 wrote to memory of 2992	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	104
PID 1356 wrote to memory of 3876	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	106
PID 1356 wrote to memory of 3876	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	106
PID 1356 wrote to memory of 2508	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	109
PID 1356 wrote to memory of 2508	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	109
PID 1356 wrote to memory of 2600	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	110
PID 1356 wrote to memory of 2600	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	110
PID 1356 wrote to memory of 3956	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	120
PID 1356 wrote to memory of 3956	1356	befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe	120

C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
"C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:1816
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:3592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:4056
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2872
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2808
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3740
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1904
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1688
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2944
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1316
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3616
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3360
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1952
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2540
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1532
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3432
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:552
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2992
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3876
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2508
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2600
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
  2⤵
  PID:1532
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 5b5fec777df30a008dec35087d2b3422 vadgS/xhVESohyLQi8mm+A.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-130-0x00000000002C0000-0x0000000000306000-memory.dmp

Filesize
280KB

Download
memory/1356-131-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads