hakbit | 64c665b2dbdaca4a20aaef96d625091757008c88b49d71070e4eefcd45d986d8

Resubmissions

10-05-2024 17:13

240510-vrrk4sgd7t 10

10-05-2024 17:09

240510-vphv7abd29 10

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

High Priority/Client-2.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: pY/d2jeqp5D5RBm4CYl0dBR7llMWl4JTXZ9SCKxOIRcgmMljtdKKQrnIyRYZSdl39amF7KyrErkUHAPEpna/XNNnG/WFL0sjnO4RU2FLxKVZLFbMBdDouj5byNLJgG7b/T9TwWcEUDcxZEoNlrkBVb0PUqlNFHE8MohgCqdfv8kZWZ9lzG+6SRegZ4+617L+3aaT6q0+8QzcsRBaGHC9r1OdeTZXBzf6Ky29zDHH56/gG2tmJVD7DbsVpugBDza9kSE4nH1atfRqIEFU8YOcsOlErnlNTHFJ5YE5nE5LOpM4o2dFB/yk0wnz8641/GcBX7Y0yWXoeQowN5h+CFZU+mKY+aE14zyc7N2aWdrOa9qyQzAGUtITyTiH0YPkYsDzjJLxu+sw/pRi74VxJjXxw4iR1W/UihWWHfWT1XsAaxcfydjfRalFwd9fyAV1g6/FrUM/4NOZzydODqdkKakle08KgDiMuP+Qi2mt/aR+nrujWLjWDPs7qAkZWTq8hYaPDJasAExnxy2wBEPx6chp02VHhd3acqIBuwvE02t7WH8zueW9dYWTGQ5V0UGK7hrx3MyHT0DxGXjkKYuW0aLdCDDTDxWHjzhWehzAmz/A3daVXVlvKTw3RIITurKStliQM7SAyMjpVQOOS4aukRSrShRf34UQislnsUu0sFNpyas= Number of files that were processed is: 462

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client-2.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	Client-2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1196	sc.exe
4356	sc.exe
2116	sc.exe
1208	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

pid	Process
3128	taskkill.exe
4776	taskkill.exe
1112	taskkill.exe
3116	taskkill.exe
2740	taskkill.exe
4952	taskkill.exe
1900	taskkill.exe
4824	taskkill.exe
1152	taskkill.exe
3992	taskkill.exe
3604	taskkill.exe
1988	taskkill.exe
2524	taskkill.exe
4972	taskkill.exe
2372	taskkill.exe
4156	taskkill.exe
4932	taskkill.exe
3472	taskkill.exe
2460	taskkill.exe
3200	taskkill.exe
4716	taskkill.exe
3764	taskkill.exe
2956	taskkill.exe
3732	taskkill.exe
3740	taskkill.exe
2920	taskkill.exe
1740	taskkill.exe
3868	taskkill.exe
2224	taskkill.exe
4864	taskkill.exe
4908	taskkill.exe
712	taskkill.exe
3088	taskkill.exe
4380	taskkill.exe
4512	taskkill.exe
4088	taskkill.exe
1880	taskkill.exe
4688	taskkill.exe
544	taskkill.exe
2160	taskkill.exe
4136	taskkill.exe
2728	taskkill.exe
2272	taskkill.exe
3528	taskkill.exe
4820	taskkill.exe
3152	taskkill.exe
3184	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1928	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6044	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe
1788	Client-2.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	Client-2.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	3472	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	3116	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1788	Client-2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1788	Client-2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2116	1788	Client-2.exe	82
PID 1788 wrote to memory of 2116	1788	Client-2.exe	82
PID 1788 wrote to memory of 4356	1788	Client-2.exe	83
PID 1788 wrote to memory of 4356	1788	Client-2.exe	83
PID 1788 wrote to memory of 1196	1788	Client-2.exe	84
PID 1788 wrote to memory of 1196	1788	Client-2.exe	84
PID 1788 wrote to memory of 1208	1788	Client-2.exe	85
PID 1788 wrote to memory of 1208	1788	Client-2.exe	85
PID 1788 wrote to memory of 3604	1788	Client-2.exe	86
PID 1788 wrote to memory of 3604	1788	Client-2.exe	86
PID 1788 wrote to memory of 4776	1788	Client-2.exe	87
PID 1788 wrote to memory of 4776	1788	Client-2.exe	87
PID 1788 wrote to memory of 2460	1788	Client-2.exe	88
PID 1788 wrote to memory of 2460	1788	Client-2.exe	88
PID 1788 wrote to memory of 3472	1788	Client-2.exe	89
PID 1788 wrote to memory of 3472	1788	Client-2.exe	89
PID 1788 wrote to memory of 4932	1788	Client-2.exe	90
PID 1788 wrote to memory of 4932	1788	Client-2.exe	90
PID 1788 wrote to memory of 4380	1788	Client-2.exe	91
PID 1788 wrote to memory of 4380	1788	Client-2.exe	91
PID 1788 wrote to memory of 4156	1788	Client-2.exe	92
PID 1788 wrote to memory of 4156	1788	Client-2.exe	92
PID 1788 wrote to memory of 3764	1788	Client-2.exe	93
PID 1788 wrote to memory of 3764	1788	Client-2.exe	93
PID 1788 wrote to memory of 3992	1788	Client-2.exe	94
PID 1788 wrote to memory of 3992	1788	Client-2.exe	94
PID 1788 wrote to memory of 2160	1788	Client-2.exe	95
PID 1788 wrote to memory of 2160	1788	Client-2.exe	95
PID 1788 wrote to memory of 1900	1788	Client-2.exe	96
PID 1788 wrote to memory of 1900	1788	Client-2.exe	96
PID 1788 wrote to memory of 3088	1788	Client-2.exe	97
PID 1788 wrote to memory of 3088	1788	Client-2.exe	97
PID 1788 wrote to memory of 3128	1788	Client-2.exe	98
PID 1788 wrote to memory of 3128	1788	Client-2.exe	98
PID 1788 wrote to memory of 712	1788	Client-2.exe	99
PID 1788 wrote to memory of 712	1788	Client-2.exe	99
PID 1788 wrote to memory of 2072	1788	Client-2.exe	112
PID 1788 wrote to memory of 2072	1788	Client-2.exe	112
PID 1788 wrote to memory of 2224	1788	Client-2.exe	120
PID 1788 wrote to memory of 2224	1788	Client-2.exe	120
PID 1788 wrote to memory of 2372	1788	Client-2.exe	121
PID 1788 wrote to memory of 2372	1788	Client-2.exe	121
PID 1788 wrote to memory of 3184	1788	Client-2.exe	122
PID 1788 wrote to memory of 3184	1788	Client-2.exe	122
PID 1788 wrote to memory of 4952	1788	Client-2.exe	123
PID 1788 wrote to memory of 4952	1788	Client-2.exe	123
PID 1788 wrote to memory of 3732	1788	Client-2.exe	124
PID 1788 wrote to memory of 3732	1788	Client-2.exe	124
PID 1788 wrote to memory of 4716	1788	Client-2.exe	125
PID 1788 wrote to memory of 4716	1788	Client-2.exe	125
PID 1788 wrote to memory of 2956	1788	Client-2.exe	126
PID 1788 wrote to memory of 2956	1788	Client-2.exe	126
PID 1788 wrote to memory of 4908	1788	Client-2.exe	127
PID 1788 wrote to memory of 4908	1788	Client-2.exe	127
PID 1788 wrote to memory of 3152	1788	Client-2.exe	128
PID 1788 wrote to memory of 3152	1788	Client-2.exe	128
PID 1788 wrote to memory of 4972	1788	Client-2.exe	129
PID 1788 wrote to memory of 4972	1788	Client-2.exe	129
PID 1788 wrote to memory of 2524	1788	Client-2.exe	130
PID 1788 wrote to memory of 2524	1788	Client-2.exe	130
PID 1788 wrote to memory of 544	1788	Client-2.exe	131
PID 1788 wrote to memory of 544	1788	Client-2.exe	131
PID 1788 wrote to memory of 4864	1788	Client-2.exe	132
PID 1788 wrote to memory of 4864	1788	Client-2.exe	132

C:\Users\Admin\AppData\Local\Temp\High Priority\Client-2.exe
"C:\Users\Admin\AppData\Local\Temp\High Priority\Client-2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4356
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:1196
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:2072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1928
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5004
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:6044
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\High Priority\Client-2.exe
  2⤵
  PID:2224
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
a74f88f7f7fee0551528188d5358df6f

SHA1
ff4965eb456697e673cb27b11d4dc14fa1bae1b2

SHA256
7078f9bc8cfaab783ae0b578e906f84943b036ef47006644f393d9a4c79c12b3

SHA512
af798a616d79af4f5e833d953f6f40c2f4a453de7f96427d75a33d6e8b11a87a87519a250358292bcec6de2400969c81f3e3737d784cddf7d5b542c9591c2794

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
ac66fa583bd393d98393d359210a8210

SHA1
f735fe4effbf3cea7ac2999510af523614a6fafd

SHA256
b00cb574d57f686bacf0d654f312cb3cbb932763679d83368adcdc6f114a6344

SHA512
8be74545ba8c3fc6f7420ab0325d9a1ccbbc3056be163afb8837cf130bea0db54e398467db2f26bbaf05bb61d5cfa5d10cf93b8cb5c5a4581e6137b62a64863c

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
248fca4139f69dc9220e1fe44d72db72

SHA1
06a7cba1ea5c4537afaadce31011d441103a8d78

SHA256
08a9e7386af347fb56d1e0434ee0bd4f318d56ec64c8432d60fd651393a0c5ca

SHA512
6961f401fb74d3a4b5dacacc86363054d62e56e70de38483848b56d0aeef645c7443c1917960fb326a963c42e78973ab743bd1e5bbaaf89b493f1655898af036

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
bd25ba128f50101b244883eb762798ed

SHA1
fb36e86cd64171437ac85438f807c7514868de71

SHA256
a11be07372ba30e9c36694f6c3217eb75142a6dd6e158f168e1b615d851d8869

SHA512
28360bec28e386535e0b8751514fa5ae883167e5b4505201ba053d8b1500a3314f440059bdbb5b1b5e33873296032f873623eb49885c371537961f62e9d026c4

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
7511d1f7a703843db8e6bf4735693e7d

SHA1
79ada85b0519b8887b209171d30473399018a1ab

SHA256
b18e79296d0b142acf9ec30269970f285ce6adffe209c11cd0aaeb596447a752

SHA512
6662170bdaf78ee276ff0296bd3729c3231377d14094818a97f68989a7fadcff38514d252330fb6a2678c879bcaa80dee55086a960c28563b606cfc4c978616d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3qanh23.iyk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
08c270bd08818cddeab5219de0129610

SHA1
8d9fc74187c9ed342c24a7f5a74c3dd297ba39ba

SHA256
36923dbedc306f831520443ce6bda394c3143d6148c28accfd807a300090fa77

SHA512
7df60f298a4f397931ee955d535822c9700bf95b45a598975a9a6ff2ce6939b2e0d363ed4958644dd04818cf762886316ee87a43dd0b16b73aacc27ad6726599

Download Submit
memory/1788-3-0x00007FFF8D2A0000-0x00007FFF8DD61000-memory.dmp

Filesize
10.8MB

Download
memory/1788-0-0x00007FFF8D2A3000-0x00007FFF8D2A5000-memory.dmp

Filesize
8KB

Download
memory/1788-1-0x0000000000660000-0x000000000067A000-memory.dmp

Filesize
104KB

Download
memory/1788-581-0x00007FFF8D2A0000-0x00007FFF8DD61000-memory.dmp

Filesize
10.8MB

Download
memory/5092-13-0x000001F3F28D0000-0x000001F3F28F2000-memory.dmp

Filesize
136KB

Download