hakbit | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Client-2.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: AY6RYGOaMti1FgsHx63BzAJ/3J5kUXjoPuoNNZKz7B7FVXiY6uKLNgvNsBlbEQQvWOmO/6ZZONYw5KgVtjztdgPE26ddA9n+8v2KTjrZDC5vQOmT1ahcT9T5DOZ0BO66e63Hdjrz4WIaI0sQWq5Kcp6KLw0GWXoqB1Flkb82N47pIwA4+k07jGzwyXsE3yuwS1D5kNwTtzJi0ZAN8u/kKhnBu2jlWsV0/6Dam+v7BUEBlOxgIlDWQXEi3/ryepNAvz/NlZraavloXK74AtsU+BV6Za3RdF9aVpU3jvF88ofoLIlYQS9Y0FTBf1ewq32jxmzdGkuoBIIXbsrx7kcYB5zxmhi66t80Z/kRFGtlwUVoHPX5Pxu9nX9TD59sDYsJrEEL6wCH3zTmJt7cgAtiOVPg3ND1Na25NCE6ECz8xSJ7c1s8cGwezcvFvhzXPZ8+lAMc5E4lBq7CFO7YgYwbtm052u/tmFnoQsCFqQEsWRdn0os3Cl95KrWF4YPFRvxpXczIRS2kIYB0oKSpAKsekOTGvPoKrs3f+Xvn5hiFUO2wh9lBUg9EdshzPhLHbW+RgrNV19GkOFR+IVdeQszRxewpNbHxxwCYI1cVSCYARijJJ3OTYeFD3fZVtTD1owGx9itOD+MNlOQmLpTsVfhmuQmrSy+vXe6BmMz2A2vK7/A= Number of files that were processed is: 446

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client-2.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Client-2.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

Processes:

Client-2.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	Client-2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
472	sc.exe
2292	sc.exe
2852	sc.exe
3644	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.exe

pid	Process
2256	PING.EXE
5928	cmd.exe

Kills process with taskkill 47 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1836	taskkill.exe
220	taskkill.exe
4344	taskkill.exe
1268	taskkill.exe
2720	taskkill.exe
720	taskkill.exe
1928	taskkill.exe
3048	taskkill.exe
5108	taskkill.exe
3020	taskkill.exe
4568	taskkill.exe
656	taskkill.exe
4512	taskkill.exe
1560	taskkill.exe
3004	taskkill.exe
4144	taskkill.exe
3184	taskkill.exe
1872	taskkill.exe
1452	taskkill.exe
212	taskkill.exe
2164	taskkill.exe
452	taskkill.exe
2264	taskkill.exe
3140	taskkill.exe
4516	taskkill.exe
3288	taskkill.exe
1164	taskkill.exe
5024	taskkill.exe
5112	taskkill.exe
1988	taskkill.exe
4804	taskkill.exe
4136	taskkill.exe
2256	taskkill.exe
4820	taskkill.exe
3028	taskkill.exe
2040	taskkill.exe
2688	taskkill.exe
3596	taskkill.exe
3344	taskkill.exe
1180	taskkill.exe
228	taskkill.exe
1132	taskkill.exe
1400	taskkill.exe
1676	taskkill.exe
4356	taskkill.exe
4808	taskkill.exe
1812	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
4868	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2256	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client-2.exe

pid	Process
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe
4652	Client-2.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

Client-2.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4652	Client-2.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	212	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Client-2.exe

pid	Process
4652	Client-2.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client-2.exe

pid	Process
4652	Client-2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-2.exe

description	pid	Process	procid_target
PID 4652 wrote to memory of 3644	4652	Client-2.exe	83
PID 4652 wrote to memory of 3644	4652	Client-2.exe	83
PID 4652 wrote to memory of 2852	4652	Client-2.exe	84
PID 4652 wrote to memory of 2852	4652	Client-2.exe	84
PID 4652 wrote to memory of 2292	4652	Client-2.exe	87
PID 4652 wrote to memory of 2292	4652	Client-2.exe	87
PID 4652 wrote to memory of 472	4652	Client-2.exe	88
PID 4652 wrote to memory of 472	4652	Client-2.exe	88
PID 4652 wrote to memory of 4344	4652	Client-2.exe	89
PID 4652 wrote to memory of 4344	4652	Client-2.exe	89
PID 4652 wrote to memory of 1812	4652	Client-2.exe	90
PID 4652 wrote to memory of 1812	4652	Client-2.exe	90
PID 4652 wrote to memory of 1928	4652	Client-2.exe	91
PID 4652 wrote to memory of 1928	4652	Client-2.exe	91
PID 4652 wrote to memory of 4804	4652	Client-2.exe	92
PID 4652 wrote to memory of 4804	4652	Client-2.exe	92
PID 4652 wrote to memory of 4512	4652	Client-2.exe	93
PID 4652 wrote to memory of 4512	4652	Client-2.exe	93
PID 4652 wrote to memory of 4808	4652	Client-2.exe	96
PID 4652 wrote to memory of 4808	4652	Client-2.exe	96
PID 4652 wrote to memory of 4352	4652	Client-2.exe	102
PID 4652 wrote to memory of 4352	4652	Client-2.exe	102
PID 4652 wrote to memory of 1872	4652	Client-2.exe	103
PID 4652 wrote to memory of 1872	4652	Client-2.exe	103
PID 4652 wrote to memory of 3344	4652	Client-2.exe	104
PID 4652 wrote to memory of 3344	4652	Client-2.exe	104
PID 4652 wrote to memory of 452	4652	Client-2.exe	105
PID 4652 wrote to memory of 452	4652	Client-2.exe	105
PID 4652 wrote to memory of 656	4652	Client-2.exe	106
PID 4652 wrote to memory of 656	4652	Client-2.exe	106
PID 4652 wrote to memory of 3596	4652	Client-2.exe	107
PID 4652 wrote to memory of 3596	4652	Client-2.exe	107
PID 4652 wrote to memory of 2688	4652	Client-2.exe	108
PID 4652 wrote to memory of 2688	4652	Client-2.exe	108
PID 4652 wrote to memory of 4568	4652	Client-2.exe	110
PID 4652 wrote to memory of 4568	4652	Client-2.exe	110
PID 4652 wrote to memory of 3020	4652	Client-2.exe	111
PID 4652 wrote to memory of 3020	4652	Client-2.exe	111
PID 4652 wrote to memory of 4356	4652	Client-2.exe	112
PID 4652 wrote to memory of 4356	4652	Client-2.exe	112
PID 4652 wrote to memory of 3140	4652	Client-2.exe	113
PID 4652 wrote to memory of 3140	4652	Client-2.exe	113
PID 4652 wrote to memory of 2164	4652	Client-2.exe	114
PID 4652 wrote to memory of 2164	4652	Client-2.exe	114
PID 4652 wrote to memory of 1676	4652	Client-2.exe	115
PID 4652 wrote to memory of 1676	4652	Client-2.exe	115
PID 4652 wrote to memory of 220	4652	Client-2.exe	116
PID 4652 wrote to memory of 220	4652	Client-2.exe	116
PID 4652 wrote to memory of 2264	4652	Client-2.exe	117
PID 4652 wrote to memory of 2264	4652	Client-2.exe	117
PID 4652 wrote to memory of 3184	4652	Client-2.exe	118
PID 4652 wrote to memory of 3184	4652	Client-2.exe	118
PID 4652 wrote to memory of 4144	4652	Client-2.exe	119
PID 4652 wrote to memory of 4144	4652	Client-2.exe	119
PID 4652 wrote to memory of 1988	4652	Client-2.exe	120
PID 4652 wrote to memory of 1988	4652	Client-2.exe	120
PID 4652 wrote to memory of 720	4652	Client-2.exe	121
PID 4652 wrote to memory of 720	4652	Client-2.exe	121
PID 4652 wrote to memory of 5112	4652	Client-2.exe	122
PID 4652 wrote to memory of 5112	4652	Client-2.exe	122
PID 4652 wrote to memory of 5024	4652	Client-2.exe	123
PID 4652 wrote to memory of 5024	4652	Client-2.exe	123
PID 4652 wrote to memory of 1400	4652	Client-2.exe	124
PID 4652 wrote to memory of 1400	4652	Client-2.exe	124

C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3644
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:2852
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:472
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4352
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4868
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5928
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2256
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
  2⤵
  PID:2496
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
111045d271c9f7786619a724b0ef4c72

SHA1
4516ce11e0d33e56992bc9308692edce18413b96

SHA256
a7f6fd68b350f107f99708e09260150d2fd49cef58b4d5a52fbc1895035e37b5

SHA512
8ab0d5c1721b0b37b2d3eab3e2ead013a9e8c47bebed746555f4f9c97412971f9cfaef647b4d94f320467c216cb5ccc5255bc1de728441b4795cba698ca9431c

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
459222029c6cb46d8a267bb0399fba0b

SHA1
ca2e51c612c18d90f48596973a0eade3d2a7945a

SHA256
4033985d3f3af12444e7197dc909c3dff7805e7cfc9fc541197aefbf3235df36

SHA512
9fc56eaa058f68a2a8e5b5f6799fb16ab1d98ab941cbe9bdb4d1fb67a851db67b56037908fa5dff826d208c56d19fc2290141197548b37e9ba70c792c22246ca

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
ffb50f5b4034faa9382e25336efee21b

SHA1
8dbbf7a9a81314ec12273b365fe2cc33bcfd0808

SHA256
9938b40723a0c7068fd156dec754de1d42c4050cafd3fd96ac200c61043f1d84

SHA512
4b0d86821706ee3a8533c147322ddd90e7a65dadba3fa81f10f9df7ec97cd79899775929eb899507ed388d8bf8e36f9ae4760c4b8c5999b27e5d000477f1aed4

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
afaa15f8049bba7000ca6cef2ac89347

SHA1
a464d931327d1320a08ac7e39b83057a15cac807

SHA256
c807899b3686055a3d36d51dd3044548c56a40a5f3ce809c5c26fc3692c582ad

SHA512
42cea358c55228fde60dc7df8fd21ecb61d3cfde8232e7671334cfc8d1ae17f62ebf0d57c60732993eefd9b6e1c04dc63985761274c07ac260110eb172094927

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
ebcf40beb3fcc4dd2da39b5b4829eba9

SHA1
7ca2e1ac33e73a4981dbf3d196693eb472b4c2fa

SHA256
479789c4085db3b3fce771ef46bee0380668a5eaa5851c9d406987ccd1224414

SHA512
707396b23117d1c9c90f0a32d51894253d8fef0850d690a80f7e64eea1771b406bca5879711c9ce827c79d6597893352068e24b829dc92aebf0ca44f6e496af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uosyuhuw.kv0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
cce9bf69a4a5d2f46f9d0c6f1502c91a

SHA1
032958ff48703a4c5e6d9005ced3429306b84c82

SHA256
40487a500f6aefca8d35385649c677bb1df2f48e72f26c177745ad5e9636f034

SHA512
148a89d72bb090b28856d150c98407af45ffa8f505d0c1c0b3edf79c1ce9dc358eefc1b1c17f66a9597cc2d06e204d5e60a80d001e875167c890f9246dc1e250

Download Submit
memory/2236-12-0x0000023421B20000-0x0000023421B42000-memory.dmp

Filesize
136KB

Download
memory/4652-0-0x00007FF8A7753000-0x00007FF8A7755000-memory.dmp

Filesize
8KB

Download
memory/4652-215-0x00007FF8A7753000-0x00007FF8A7755000-memory.dmp

Filesize
8KB

Download
memory/4652-3-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

Filesize
10.8MB

Download
memory/4652-337-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

Filesize
10.8MB

Download
memory/4652-1-0x0000000000FF0000-0x000000000100A000-memory.dmp

Filesize
104KB

Download
memory/4652-563-0x00007FF8A7750000-0x00007FF8A8211000-memory.dmp

Filesize
10.8MB

Download