Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
31-01-2022 23:05
Static task
static1
Behavioral task
behavioral1
Sample
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
Resource
win10v2004-en-20220112
General
-
Target
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe
-
Size
256KB
-
MD5
070940acdcf608923d044edc79ba4121
-
SHA1
5b1d1de92d8b8163ac70281d6afa3113d0f86362
-
SHA256
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415
-
SHA512
41b35ca8765b7788461d198e63ba975800dbf0bc4bfa747769cc51399c74a969ea981d3d613cfeaf149a4c2c6d195b5c952fe45c5102ebf08387ec72540e6180
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
zoula50@protonmail.com
1HaLXTNdaXTGQtDuDURPA9kLxhyM4DzhsT
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReadOut.tiff.part => C:\Users\Admin\Pictures\ReadOut.tiff befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\ConnectClear.tiff.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File renamed C:\Users\Admin\Pictures\ConnectClear.tiff.part => C:\Users\Admin\Pictures\ConnectClear.tiff befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File opened for modification C:\Users\Admin\Pictures\ReadOut.tiff befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File opened for modification C:\Users\Admin\Pictures\ConnectClear.tiff befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\ReadOut.tiff.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\CompleteRename.png.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\JoinSave.png.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe File created C:\Users\Admin\Pictures\ProtectExit.png.part befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1316 vssadmin.exe 3616 vssadmin.exe 1952 vssadmin.exe 1532 vssadmin.exe 2992 vssadmin.exe 3876 vssadmin.exe 2600 vssadmin.exe 2944 vssadmin.exe 3360 vssadmin.exe 3432 vssadmin.exe 552 vssadmin.exe 1688 vssadmin.exe 2540 vssadmin.exe 2508 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1544 taskkill.exe 1940 taskkill.exe 1772 taskkill.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3956 notepad.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeBackupPrivilege 3464 vssvc.exe Token: SeRestorePrivilege 3464 vssvc.exe Token: SeAuditPrivilege 3464 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1356 wrote to memory of 3148 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1356 wrote to memory of 3148 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 3148 wrote to memory of 1816 3148 net.exe net1.exe PID 3148 wrote to memory of 1816 3148 net.exe net1.exe PID 1356 wrote to memory of 1764 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1356 wrote to memory of 1764 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1764 wrote to memory of 3592 1764 net.exe net1.exe PID 1764 wrote to memory of 3592 1764 net.exe net1.exe PID 1356 wrote to memory of 2768 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1356 wrote to memory of 2768 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 2768 wrote to memory of 3528 2768 net.exe net1.exe PID 2768 wrote to memory of 3528 2768 net.exe net1.exe PID 1356 wrote to memory of 3872 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1356 wrote to memory of 3872 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 3872 wrote to memory of 4056 3872 net.exe net1.exe PID 3872 wrote to memory of 4056 3872 net.exe net1.exe PID 1356 wrote to memory of 3688 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 1356 wrote to memory of 3688 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe net.exe PID 3688 wrote to memory of 2872 3688 net.exe net1.exe PID 3688 wrote to memory of 2872 3688 net.exe net1.exe PID 1356 wrote to memory of 2808 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 2808 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 3740 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 3740 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 1904 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 1904 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 3516 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 3516 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe sc.exe PID 1356 wrote to memory of 1544 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1356 wrote to memory of 1544 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1356 wrote to memory of 1940 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1356 wrote to memory of 1940 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1356 wrote to memory of 1772 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1356 wrote to memory of 1772 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe taskkill.exe PID 1356 wrote to memory of 1688 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1688 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2944 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2944 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1316 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1316 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3616 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3616 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3360 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3360 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1952 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1952 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2540 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2540 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1532 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 1532 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3432 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3432 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 552 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 552 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2992 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2992 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3876 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3876 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2508 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2508 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2600 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 2600 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe vssadmin.exe PID 1356 wrote to memory of 3956 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe notepad.exe PID 1356 wrote to memory of 3956 1356 befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\befc6ff8c63889b72d1f5aec5e5accc1b4098a83cd482a6bb85182ecd640b415.exe2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 5b5fec777df30a008dec35087d2b3422 vadgS/xhVESohyLQi8mm+A.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtMD5
3a59afa0aa37538a33311926830fe0cb
SHA1359cc8ee4bcbf8499a5227b081206acc3d87b453
SHA2567416f2e932e0b94d506f15d304739b2c264d08f1f34ce5bce52408493d51fca1
SHA51246af7fc17469e66eef65ec02a8afeb772c301e52b061d9773b333b35dba7f2baf695d767668a3875223c1f02c8d9ac403fbb443a5db9b1ed5a8d583f0b023c15
-
memory/1356-130-0x00000000002C0000-0x0000000000306000-memory.dmpFilesize
280KB
-
memory/1356-131-0x0000000002570000-0x0000000002572000-memory.dmpFilesize
8KB