Analysis
-
max time kernel
128s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-06-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Resource
win10v2004-20220414-en
General
-
Target
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
-
Size
62KB
-
MD5
131a20e9f579bc9f7dd9832b4c5f25bd
-
SHA1
83979db718962e3a0b45e5f70320fe5b4f009b7c
-
SHA256
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
-
SHA512
92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c
Malware Config
Extracted
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
hakbit
torsec1@secmail.pro
agarrard@protonmail.com
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exedescription ioc process File created C:\Users\Admin\Pictures\InstallRequest.png.crypted a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe File created C:\Users\Admin\Pictures\UnlockSubmit.png.crypted a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe File created C:\Users\Admin\Pictures\SubmitLimit.tiff.crypted a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 216 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1064 sc.exe 1504 sc.exe 1512 sc.exe 1352 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1584 vssadmin.exe 1072 vssadmin.exe 232 vssadmin.exe 560 vssadmin.exe 1004 vssadmin.exe 924 vssadmin.exe 1576 vssadmin.exe 1388 vssadmin.exe 1272 vssadmin.exe 1888 vssadmin.exe 1180 vssadmin.exe 828 vssadmin.exe 1988 vssadmin.exe 1760 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1976 taskkill.exe 564 taskkill.exe 1696 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 224 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exepid process 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeBackupPrivilege 764 vssvc.exe Token: SeRestorePrivilege 764 vssvc.exe Token: SeAuditPrivilege 764 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1320 wrote to memory of 956 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 956 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 956 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 956 wrote to memory of 1312 956 net.exe net1.exe PID 956 wrote to memory of 1312 956 net.exe net1.exe PID 956 wrote to memory of 1312 956 net.exe net1.exe PID 1320 wrote to memory of 816 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 816 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 816 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 816 wrote to memory of 1156 816 net.exe net1.exe PID 816 wrote to memory of 1156 816 net.exe net1.exe PID 816 wrote to memory of 1156 816 net.exe net1.exe PID 1320 wrote to memory of 1772 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 1772 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 1772 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1772 wrote to memory of 276 1772 net.exe net1.exe PID 1772 wrote to memory of 276 1772 net.exe net1.exe PID 1772 wrote to memory of 276 1772 net.exe net1.exe PID 1320 wrote to memory of 1488 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 1488 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 1488 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1488 wrote to memory of 1720 1488 net.exe net1.exe PID 1488 wrote to memory of 1720 1488 net.exe net1.exe PID 1488 wrote to memory of 1720 1488 net.exe net1.exe PID 1320 wrote to memory of 584 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 584 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 1320 wrote to memory of 584 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe net.exe PID 584 wrote to memory of 840 584 net.exe net1.exe PID 584 wrote to memory of 840 584 net.exe net1.exe PID 584 wrote to memory of 840 584 net.exe net1.exe PID 1320 wrote to memory of 1064 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1064 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1064 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1504 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1504 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1504 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1512 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1512 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1512 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1352 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1352 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1352 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe sc.exe PID 1320 wrote to memory of 1976 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 1976 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 1976 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 564 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 564 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 564 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 1696 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 1696 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 1696 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe taskkill.exe PID 1320 wrote to memory of 560 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 560 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 560 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1388 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1388 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1388 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1272 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1272 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1272 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 828 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 828 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 828 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe PID 1320 wrote to memory of 1584 1320 a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exe"net.exe" stop avpsus /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeDLPAgentService /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y
-
C:\Windows\system32\net.exe"net.exe" stop mfewc /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exe"net.exe" stop BMR Boot Service /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y
-
C:\Windows\system32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled
- Launches sc.exe
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
- Launches sc.exe
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled
- Launches sc.exe
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled
- Launches sc.exe
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet
- Interacts with shadow copies
-
C:\Windows\system32\arp.exe"arp" -a
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 3
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Downloads
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txtFilesize
1KB
MD58eeaf94e5bee22d7d1b45741ca864fea
SHA11ed97386d363f123338777928dcfa16f4e234fcc
SHA25671000bcee4c6a84dfc2bec4d9fc86843e1038cdd10741f44932505883b9706d4
SHA512fa4870a61fd7264ee8c0f8a3957e62c4601b8ddc86b802b8a6909dffde4beaedf4091cea50485ae91371dd5ca343af85a7d1a71566439194de27eb108ca6e4ee
-
memory/216-90-0x0000000000000000-mapping.dmp
-
memory/224-88-0x0000000000000000-mapping.dmp
-
memory/232-82-0x0000000000000000-mapping.dmp
-
memory/276-60-0x0000000000000000-mapping.dmp
-
memory/560-72-0x0000000000000000-mapping.dmp
-
memory/564-70-0x0000000000000000-mapping.dmp
-
memory/584-63-0x0000000000000000-mapping.dmp
-
memory/632-92-0x0000000000000000-mapping.dmp
-
memory/816-57-0x0000000000000000-mapping.dmp
-
memory/828-75-0x0000000000000000-mapping.dmp
-
memory/840-64-0x0000000000000000-mapping.dmp
-
memory/924-81-0x0000000000000000-mapping.dmp
-
memory/956-55-0x0000000000000000-mapping.dmp
-
memory/1004-79-0x0000000000000000-mapping.dmp
-
memory/1064-65-0x0000000000000000-mapping.dmp
-
memory/1072-80-0x0000000000000000-mapping.dmp
-
memory/1156-58-0x0000000000000000-mapping.dmp
-
memory/1180-83-0x0000000000000000-mapping.dmp
-
memory/1272-74-0x0000000000000000-mapping.dmp
-
memory/1312-56-0x0000000000000000-mapping.dmp
-
memory/1320-86-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/1320-54-0x0000000000C70000-0x0000000000C86000-memory.dmpFilesize
88KB
-
memory/1352-68-0x0000000000000000-mapping.dmp
-
memory/1388-73-0x0000000000000000-mapping.dmp
-
memory/1488-61-0x0000000000000000-mapping.dmp
-
memory/1504-66-0x0000000000000000-mapping.dmp
-
memory/1512-67-0x0000000000000000-mapping.dmp
-
memory/1576-85-0x0000000000000000-mapping.dmp
-
memory/1584-76-0x0000000000000000-mapping.dmp
-
memory/1676-87-0x0000000000000000-mapping.dmp
-
memory/1696-71-0x0000000000000000-mapping.dmp
-
memory/1720-62-0x0000000000000000-mapping.dmp
-
memory/1760-84-0x0000000000000000-mapping.dmp
-
memory/1772-59-0x0000000000000000-mapping.dmp
-
memory/1888-77-0x0000000000000000-mapping.dmp
-
memory/1976-69-0x0000000000000000-mapping.dmp
-
memory/1988-78-0x0000000000000000-mapping.dmp