hakbit | a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

General

Target

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Size

62KB
MD5

131a20e9f579bc9f7dd9832b4c5f25bd
SHA1

83979db718962e3a0b45e5f70320fe5b4f009b7c
SHA256

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
SHA512

92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

Score

10^/10

hakbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ JF2ae85uI+qcJGrh/PT5oWG8IAmo/+JAXYzpaqtvTaj2JEnTJ9yBQOSV6ApaKD/C9UlRWF7uGWeOUzyX5NYqdSLJr2ZKVlRBxZzRSIs1j7wqvHbVB6deFJspSspk6p6KjPkg5TOK9LofUgvPwPk6/PAF5Xvk8OtX1qbeopJLzoJ1v0OViMvPOS9V/TV6tshC1XNIwTYKCo6MmK8j+Gg+5mC4tkrOMXiCr1WT7WXKCzf4Lmi5mA2Tzgp0EpXG1tkFRn0S2Cgs3QBPQ5VlG1jZTccorKLk1xEB1ZjZ9/9jp3xBi4bEtbn3TJj5Ryscc4gPf039Oiuyxlph/LBDw1rmGA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Emails

torsec1@secmail.pro

agarrard@protonmail.com

Signatures

Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\InstallRequest.png.crypted	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
File created	C:\Users\Admin\Pictures\UnlockSubmit.png.crypted	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
File created	C:\Users\Admin\Pictures\SubmitLimit.tiff.crypted	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitLimit.tiff	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

216 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
216	cmd.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1064 sc.exe
1504 sc.exe
1512 sc.exe
1352 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1064	sc.exe
1504	sc.exe
1512	sc.exe
1352	sc.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1584	vssadmin.exe
1072	vssadmin.exe
232	vssadmin.exe
560	vssadmin.exe
1004	vssadmin.exe
924	vssadmin.exe
1576	vssadmin.exe
1388	vssadmin.exe
1272	vssadmin.exe
1888	vssadmin.exe
1180	vssadmin.exe
828	vssadmin.exe
1988	vssadmin.exe
1760	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1976 taskkill.exe
564 taskkill.exe
1696 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

224 notepad.exe
Runs net.exe

pid	process
1976	taskkill.exe
564	taskkill.exe
1696	taskkill.exe

pid	process
224	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

pid	process
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeBackupPrivilege	764	vssvc.exe
Token: SeRestorePrivilege	764	vssvc.exe
Token: SeAuditPrivilege	764	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1320 wrote to memory of 956	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 956	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 956	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 956 wrote to memory of 1312	956	net.exe	net1.exe
PID 956 wrote to memory of 1312	956	net.exe	net1.exe
PID 956 wrote to memory of 1312	956	net.exe	net1.exe
PID 1320 wrote to memory of 816	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 816	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 816	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 816 wrote to memory of 1156	816	net.exe	net1.exe
PID 816 wrote to memory of 1156	816	net.exe	net1.exe
PID 816 wrote to memory of 1156	816	net.exe	net1.exe
PID 1320 wrote to memory of 1772	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 1772	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 1772	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1772 wrote to memory of 276	1772	net.exe	net1.exe
PID 1772 wrote to memory of 276	1772	net.exe	net1.exe
PID 1772 wrote to memory of 276	1772	net.exe	net1.exe
PID 1320 wrote to memory of 1488	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 1488	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 1488	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1488 wrote to memory of 1720	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1720	1488	net.exe	net1.exe
PID 1488 wrote to memory of 1720	1488	net.exe	net1.exe
PID 1320 wrote to memory of 584	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 584	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 1320 wrote to memory of 584	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 584 wrote to memory of 840	584	net.exe	net1.exe
PID 584 wrote to memory of 840	584	net.exe	net1.exe
PID 584 wrote to memory of 840	584	net.exe	net1.exe
PID 1320 wrote to memory of 1064	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1064	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1064	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1504	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1504	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1504	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1512	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1512	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1512	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1352	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1352	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1352	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 1320 wrote to memory of 1976	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 1976	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 1976	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 564	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 564	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 564	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 1696	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 1696	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 1696	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 1320 wrote to memory of 560	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 560	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 560	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1388	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1388	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1388	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1272	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1272	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1272	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 828	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 828	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 828	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 1320 wrote to memory of 1584	1320	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
"C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:1312

C:\Windows\system32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:1156

C:\Windows\system32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1720

C:\Windows\system32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:840

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
- Launches sc.exe
PID:1512

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
- Launches sc.exe
PID:1352

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:560

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1388

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1272

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:828

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1584

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1888

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1988

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1004

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1072

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:924

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:232

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1180

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1760

C:\Windows\system32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1576

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:1676

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
2⤵
- Deletes itself
PID:216

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
Filesize
1KB

MD5
8eeaf94e5bee22d7d1b45741ca864fea

SHA1
1ed97386d363f123338777928dcfa16f4e234fcc

SHA256
71000bcee4c6a84dfc2bec4d9fc86843e1038cdd10741f44932505883b9706d4

SHA512
fa4870a61fd7264ee8c0f8a3957e62c4601b8ddc86b802b8a6909dffde4beaedf4091cea50485ae91371dd5ca343af85a7d1a71566439194de27eb108ca6e4ee

Download Submit
memory/216-90-0x0000000000000000-mapping.dmp

Download
memory/224-88-0x0000000000000000-mapping.dmp

Download
memory/232-82-0x0000000000000000-mapping.dmp

Download
memory/276-60-0x0000000000000000-mapping.dmp

Download
memory/560-72-0x0000000000000000-mapping.dmp

Download
memory/564-70-0x0000000000000000-mapping.dmp

Download
memory/584-63-0x0000000000000000-mapping.dmp

Download
memory/632-92-0x0000000000000000-mapping.dmp

Download
memory/816-57-0x0000000000000000-mapping.dmp

Download
memory/828-75-0x0000000000000000-mapping.dmp

Download
memory/840-64-0x0000000000000000-mapping.dmp

Download
memory/924-81-0x0000000000000000-mapping.dmp

Download
memory/956-55-0x0000000000000000-mapping.dmp

Download
memory/1004-79-0x0000000000000000-mapping.dmp

Download
memory/1064-65-0x0000000000000000-mapping.dmp

Download
memory/1072-80-0x0000000000000000-mapping.dmp

Download
memory/1156-58-0x0000000000000000-mapping.dmp

Download
memory/1180-83-0x0000000000000000-mapping.dmp

Download
memory/1272-74-0x0000000000000000-mapping.dmp

Download
memory/1312-56-0x0000000000000000-mapping.dmp

Download
memory/1320-86-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1320-54-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download
memory/1352-68-0x0000000000000000-mapping.dmp

Download
memory/1388-73-0x0000000000000000-mapping.dmp

Download
memory/1488-61-0x0000000000000000-mapping.dmp

Download
memory/1504-66-0x0000000000000000-mapping.dmp

Download
memory/1512-67-0x0000000000000000-mapping.dmp

Download
memory/1576-85-0x0000000000000000-mapping.dmp

Download
memory/1584-76-0x0000000000000000-mapping.dmp

Download
memory/1676-87-0x0000000000000000-mapping.dmp

Download
memory/1696-71-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x0000000000000000-mapping.dmp

Download
memory/1760-84-0x0000000000000000-mapping.dmp

Download
memory/1772-59-0x0000000000000000-mapping.dmp

Download
memory/1888-77-0x0000000000000000-mapping.dmp

Download
memory/1976-69-0x0000000000000000-mapping.dmp

Download
memory/1988-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads