hakbit | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
1794s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Client-2.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: J8d32huzKVg+Ig4aiITkrInBgEr7jdZGRzgdGuqiHY9kDsx3OE+MxXh9wITplZAL4NDc4OGTgSib+R8bu18LNI0SpNchdulndVEs7Es0wvKixS7q6+IN3IFG44VzrBVZ3zVO+tkpTv7AHoXDAPShjQGIgQP2SmbzD6tymx/3gUm+QG25EyS3HU595S/jYyDf0AQ3Nrfz0WhE/aiTBc6LhfKn4rNMp7B7KE4t4fodZ8tdzH29buuSwvpRfYOXFeiCIDGMBjD283uEVAT61CJvQon6jVQPrQhhbfNqVepNHXIEmseCyHm6t5pc2H52I2KaFUsrNwjb7dVedXestp4SQaADz5YeNYYV8as1bAEzeKhYcTsQUZYQ8Z33aKbt55ohICD4S7qt5pHsUAlbvUdFNMikchDCmRDetZdX2FAD/kRfvMtF03MvLqB6cq8CX52Rd+UPLT4zuKBiAQGFDSyzRPDoC1a2P20g90MSUVnhpefB8U75VacnfsLdnnwMwvNOiP32xz3E7REAXnca3cm/xWBir61NncRRY/EFb2JY0w3zZOiSoCxpd5Voxw9EB+Jd99+0ksyIxc5bDyR//mzrRGa90+4ItH0jFYW63uT4eWzt032dZub2S8i0xadnUAecLGU//1hV3gR2gWpe0kLrD2a/Dne8CzQHO7obb79f1IY= Number of files that were processed is: 441

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client-2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client-2.exe

Drops startup file 1 IoCs

Processes:

Client-2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk Client-2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4872 sc.exe
1092 sc.exe
3852 sc.exe
4544 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	Client-2.exe

pid	process
4872	sc.exe
1092	sc.exe
3852	sc.exe
4544	sc.exe

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2580	taskkill.exe
4672	taskkill.exe
4636	taskkill.exe
2172	taskkill.exe
1120	taskkill.exe
1444	taskkill.exe
828	taskkill.exe
752	taskkill.exe
3164	taskkill.exe
1492	taskkill.exe
1336	taskkill.exe
872	taskkill.exe
2636	taskkill.exe
3704	taskkill.exe
4980	taskkill.exe
3256	taskkill.exe
1852	taskkill.exe
1624	taskkill.exe
2992	taskkill.exe
3772	taskkill.exe
4192	taskkill.exe
3372	taskkill.exe
3224	taskkill.exe
4076	taskkill.exe
3696	taskkill.exe
3248	taskkill.exe
1964	taskkill.exe
4240	taskkill.exe
4984	taskkill.exe
368	taskkill.exe
1520	taskkill.exe
4548	taskkill.exe
5052	taskkill.exe
2272	taskkill.exe
2308	taskkill.exe
2708	taskkill.exe
3220	taskkill.exe
1164	taskkill.exe
4588	taskkill.exe
4572	taskkill.exe
4284	taskkill.exe
556	taskkill.exe
2324	taskkill.exe
1428	taskkill.exe
4028	taskkill.exe
5100	taskkill.exe
3560	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1632 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5776 PING.EXE

pid	process
1632	notepad.exe

pid	process
5776	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client-2.exe

pid	process
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe
2568	Client-2.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

Client-2.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2568	Client-2.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	3256	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	4840	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Client-2.exe

pid process

2568 Client-2.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client-2.exe

pid process

2568 Client-2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-2.exe

description	pid	process	target process
PID 2568 wrote to memory of 1092	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 1092	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 4872	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 4872	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 4544	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 4544	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 3852	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 3852	2568	Client-2.exe	sc.exe
PID 2568 wrote to memory of 4984	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4984	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2272	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2272	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3780	2568	Client-2.exe	cmd.exe
PID 2568 wrote to memory of 3780	2568	Client-2.exe	cmd.exe
PID 2568 wrote to memory of 828	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 828	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2580	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2580	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2308	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2308	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4284	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4284	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3560	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3560	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1444	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1444	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3772	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3772	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4192	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4192	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 5052	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 5052	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3164	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3164	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4572	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4572	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3256	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3256	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1120	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1120	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4240	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4240	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2172	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2172	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4588	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4588	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1964	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1964	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4636	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4636	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4548	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4548	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4980	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 4980	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3704	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 3704	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1520	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 1520	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 5100	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 5100	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2636	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 2636	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 368	2568	Client-2.exe	taskkill.exe
PID 2568 wrote to memory of 368	2568	Client-2.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1092
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4872
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4544
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4548
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1632
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5888
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:5776
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
  2⤵
  PID:2080
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=1680 /prefetch:8
1⤵
PID:6700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1404,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:8
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
1964c7fb9ebc3dfe7d83955d125c71ff

SHA1
32eb06f534e5c6dc718c9deeb93bbb768e3eefe9

SHA256
2912dad15db3290cf595606761bbf70594b23a45b0869cbf2769dc96e76c5357

SHA512
0038603b0c2251eccdc70adfe02ddebf01eb91319d1ac4cdd94b87cf5577a3ddbee405995efca2062c13a4d006032548e7da0b1edfa5b3a3dd1201330bbf65be

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
729780f3e432cbafaaea8de045960377

SHA1
9f82179cf3d2aaa623d9f68eafc4059e21c3e836

SHA256
05498bfac74c818c5cf43af25c73ea92f23546f6087712d99ddefd5ed042bf95

SHA512
0ca497f39d7c02913b285ec06cc9400b4eaf2ea2097430778b09c85f2cd94d4fe1e39383e7a9b6535727b266f10d2ee4db264edbe49d8a622935f44250f58ae4

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
eb28637f05b203758cbf9b614fa331b9

SHA1
f60aa4f5adf5ba7725fb0df7cb75ee5c096641f3

SHA256
ddc91e9c08a7f56f24055f4c892f59e3b292e4232fb2888f57a6a507201c761d

SHA512
837ddf90d26e374692d80785e2da0b7645dfa88f1dfebccd917010845316da54b401106910f153657b274795bd8408e79b84eb357e7c44b2ab39118784f82434

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
bdfd54639c22d4fde441fd455a5e72a2

SHA1
3a86fbf43ae0b402e9ddf8aba9e2cdbbc073fdae

SHA256
64bbb364b4faf1afcc69e41c3da1a56777c7064beeb2dd33d67901a39f267433

SHA512
19f8cc989f92538e8b224af8c51604d9ef9cbc1d3438f78914963ce76f010fe2d26f2bf6d9293caea662eb7cb4960166a252e1246592329c56c79cc668d4ce82

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
3aa8c48069dee49121d8669b53e4660a

SHA1
a628e726e36ad8e6d1e8958c66dcc6bfef77a0e6

SHA256
a9f3748c041b7bfd83b829f0dc19597391928264ebed09e4937deedd2232e834

SHA512
7ae87923606142d7327010b5c9d8235c39e95724a4f97d39832f7e5e7ee0bbbe26f730e2453e491ead13b085e3c6dc6eb34270ab78c7079887372c02ca792bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qku0prtn.qdy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
19a3c2f197b43912369b3041d86c3e37

SHA1
5d5094f4c01c027be108770ee8e8043279532a25

SHA256
6088c6d2e7f2c02ee2ccda670fa67d1464b0dd615764fb3c7bef71f9c3bcfb6d

SHA512
010250b80239afcac8e5a94a21d8058a4a4f9875b82870af35632f59decd9403faf42d14cbb01cd489ef91be436e88d350196c541198c3d4bfbee859b18e78fb

Download Submit
memory/2568-2-0x00007FFE9F780000-0x00007FFEA0241000-memory.dmp

Filesize
10.8MB

Download
memory/2568-1-0x00007FFE9F783000-0x00007FFE9F785000-memory.dmp

Filesize
8KB

Download
memory/2568-0-0x0000000000EE0000-0x0000000000EFA000-memory.dmp

Filesize
104KB

Download
memory/2568-550-0x00007FFE9F780000-0x00007FFEA0241000-memory.dmp

Filesize
10.8MB

Download
memory/4840-20-0x000001F620740000-0x000001F620762000-memory.dmp

Filesize
136KB

Download