hakbit | 1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: wfdgq07KJVBU0DWb72HnxWfyP/FrOzrqd71m7dNeyO/dqc2S+0zzCcjvNx/DNhZ8FR9krJi1gkrTUdOqQYWi9nauzQumhlF6EnLMyyyPV8MnoFsHj9b1iaoVcdbOenaJBDD/ePC7jm9b+GGKpaFo5z9n0hi8emWBVjWtVR3b9rm204NheqVMdPF0KEa5MiHW1ws71+CaCWrnTcpP1JsvrorKia3Wq34Ru58u0Hy5wOQEJE2UOMH136hkT6H8GIX4kCpovmhlR1xFSstBxALksxcgTizDLEZds9HK+YGWUH4cfbQFxaTP4QsZpsmGVS85mW9XKqjYkD7fUmTQEpI0DMzrm2XSzkk8JfV5/GdMVzd6711IHBEBXgUswr2vCyDD7buVKziQ3XrZA3EiK2RBWvXSjkCFb4138fcTpNdA5aZ78E39ShqD+Wi5UI92msnLsK2Us/hiPQ+sZmJNq3vol0q0hFRVvPEeIfdkfWBzojzmg3zRTBqqhaB1xfGvyjq7t5BLfNHHhwPRe7Io8uGCm8YLTFP2pI8rB2V+Gnd8d6auI8s7gKE6/NMo29OZKSfc0HxKP6Pzte7iMJJlM/LXPOTyiZNnB5VCaViekCjO8i77PZc7CxE981gX0Fahe13h//SsjmZh2KXo+4m6dwgDqCVkjmMPy+YrkGHRnxIcqVA= Number of files that were processed is: 436

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2208	sc.exe
4824	sc.exe
4060	sc.exe
1136	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 47 IoCs

evasion

pid	Process
1640	taskkill.exe
4596	taskkill.exe
4812	taskkill.exe
1160	taskkill.exe
3104	taskkill.exe
2236	taskkill.exe
4540	taskkill.exe
4724	taskkill.exe
724	taskkill.exe
3504	taskkill.exe
2636	taskkill.exe
3440	taskkill.exe
4888	taskkill.exe
5016	taskkill.exe
3644	taskkill.exe
2472	taskkill.exe
2316	taskkill.exe
2428	taskkill.exe
860	taskkill.exe
980	taskkill.exe
4072	taskkill.exe
4920	taskkill.exe
1388	taskkill.exe
544	taskkill.exe
1696	taskkill.exe
4808	taskkill.exe
4036	taskkill.exe
2128	taskkill.exe
1820	taskkill.exe
4632	taskkill.exe
4308	taskkill.exe
4288	taskkill.exe
3792	taskkill.exe
3660	taskkill.exe
1064	taskkill.exe
4628	taskkill.exe
4732	taskkill.exe
1032	taskkill.exe
4240	taskkill.exe
2444	taskkill.exe
744	taskkill.exe
916	taskkill.exe
5064	taskkill.exe
1432	taskkill.exe
4188	taskkill.exe
2372	taskkill.exe
2688	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6100	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3024	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1136	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 1992 wrote to memory of 1136	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 1992 wrote to memory of 4060	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 1992 wrote to memory of 4060	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 1992 wrote to memory of 4824	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 1992 wrote to memory of 4824	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 1992 wrote to memory of 2208	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 1992 wrote to memory of 2208	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 1992 wrote to memory of 4288	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 1992 wrote to memory of 4288	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 1992 wrote to memory of 4920	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 1992 wrote to memory of 4920	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 1992 wrote to memory of 1160	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 1992 wrote to memory of 1160	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 1992 wrote to memory of 3104	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 1992 wrote to memory of 3104	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 1992 wrote to memory of 544	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 1992 wrote to memory of 544	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 1992 wrote to memory of 2688	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 1992 wrote to memory of 2688	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 1992 wrote to memory of 4308	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 1992 wrote to memory of 4308	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 1992 wrote to memory of 2444	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 1992 wrote to memory of 2444	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 1992 wrote to memory of 1032	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 1992 wrote to memory of 1032	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 1992 wrote to memory of 2472	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 1992 wrote to memory of 2472	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 1992 wrote to memory of 2636	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 1992 wrote to memory of 2636	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 1992 wrote to memory of 5064	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 1992 wrote to memory of 5064	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 1992 wrote to memory of 3792	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 1992 wrote to memory of 3792	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 1992 wrote to memory of 1696	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 1992 wrote to memory of 1696	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 1992 wrote to memory of 916	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 1992 wrote to memory of 916	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 1992 wrote to memory of 744	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 1992 wrote to memory of 744	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 1992 wrote to memory of 4072	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 1992 wrote to memory of 4072	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 1992 wrote to memory of 4088	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 1992 wrote to memory of 4088	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 1992 wrote to memory of 1388	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 1992 wrote to memory of 1388	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 1992 wrote to memory of 3644	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 1992 wrote to memory of 3644	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 1992 wrote to memory of 4632	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 1992 wrote to memory of 4632	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 1992 wrote to memory of 980	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 1992 wrote to memory of 980	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 1992 wrote to memory of 4240	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 1992 wrote to memory of 4240	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 1992 wrote to memory of 5016	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 1992 wrote to memory of 5016	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 1992 wrote to memory of 3504	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 1992 wrote to memory of 3504	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 1992 wrote to memory of 4732	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 1992 wrote to memory of 4732	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 1992 wrote to memory of 4812	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 1992 wrote to memory of 4812	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 1992 wrote to memory of 4628	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 1992 wrote to memory of 4628	1992	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1136
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4060
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4824
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:6100
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2832
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3024
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:1144
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
5c458842d7a6cdda1c11167dca5ff0b6

SHA1
9488e3566690bb859863cc2bb840dd7e0519bb7a

SHA256
3251398673be2b4e28082e1f0e89f4459d9bc3d59a19d6b2afff7c496c98f37b

SHA512
28da86dfc3af67925f2d54acea71234f20d2d401c982498d7e7d5d515784e278e030b5108d48d99ab3dbcf6e41398a88063e2f607c1e7646eee7643f02338d62

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
7b29e595473958e5eb7f7ee8e934f87d

SHA1
c928bba36fb93fb0410b229e4ea3fbea9fa81696

SHA256
c8a0328f7b60951d86a4d61060cd72ba342337de621032e61a60e2d5416add14

SHA512
9e094c4314498b128f5abc7684923a5a21bb28602204302f3a6bb8c341071e7400a9274d1d958e6f0477c7af04e3ef486d8f9601e9d8ebfa9fcf8fdf6cdcbeeb

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
bb8572e8bc2360070e3f803fb1bef59c

SHA1
36a40108586f157dc9e8ada426c8fd9c485c5855

SHA256
206df6c8370602b344b3c3bd054c9b4b8df21eb5399b8a8c40ecb8ea6476db8c

SHA512
34551b4ddbaa909f56e2646e9816b612091d5d1af9a5973b5f09aa0adf868d6fed056c9f4eedd26fc271de40fbb7b3f1c6f799da6584e0eac8a48211742728ce

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
c8773c8b1f1f0731819173baa02771da

SHA1
d10f778e757d708e532e6b9a0c8d123198a6e0fc

SHA256
a80a2bd569e49c9d2af8b9f2ac95255237751a60670f538ce89b0f2674cb4714

SHA512
69cf0b9e9ac153d082001558334ba9ddc12c996f0f0960f7b960c649fce448d806fa456846b59acb5745e14086a70aca5b44e571f6c784164493c5d5703b9fa1

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
742e49a408808af7a55b53938b3bb5f5

SHA1
e446f9394d74205b3c19d92b601cdde611f8ad09

SHA256
bc6ae97194a6db53c7a4ef23a2d92cb342c1ca6909b5bd020d6000224cac96fe

SHA512
209449f37c188501e0b9e12127547ebab27d5a4d1b4875840d9024160f64e6d0880209e32c90ac66304893cff95b6035a589b9765da4cdeb0d8ba984e3905072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4i3vbhzg.sfk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
5d0c83f5a1d6948c69249172deb73193

SHA1
7c7b0f7c777367b5c7ac0265cd31028d962be88e

SHA256
0ef6bab030ce14d9f97931a1c1dad44932414a2fa51974e5ad67e4dc711f90b5

SHA512
4b69ebc36857478189e5c9f376d94bfdc00fc402d2fc2b77031dd0ec7b6ee1059344f404efa388b771fc6a21b51959edc2570a2cc00b0e39e3e54933e7ba4d15

Download Submit
memory/1384-14-0x0000020CC1430000-0x0000020CC1452000-memory.dmp

Filesize
136KB

Download
memory/1992-0-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/1992-2-0x00007FFBFD2C0000-0x00007FFBFDD81000-memory.dmp

Filesize
10.8MB

Download
memory/1992-1-0x00007FFBFD2C3000-0x00007FFBFD2C5000-memory.dmp

Filesize
8KB

Download
memory/1992-548-0x00007FFBFD2C0000-0x00007FFBFDD81000-memory.dmp

Filesize
10.8MB

Download