hakbit | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

12/09/2024, 02:23 UTC

240912-cvfznswere 10

04/09/2024, 00:09 UTC

240904-afvheascla 10

03/09/2024, 18:57 UTC

240903-xl8csavfrb 10

03/09/2024, 18:12 UTC

240903-ws828asgnm 10

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 18:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Client-2.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below potentialenergy@mail.ru Key Identifier: hA77nLfPPbuMRnnA2MYS9SYAbMXyM6RI42BYiVLXD1gkx7YGX2ZdT18qJSBMJkteSU+aIXn2ho+omZPP9JAY30/QHx7dVSOUPciroLiz+F2xCLJ4lghTVNPw24EmCp+oOWvbpqNYJxGd7yvfQCvp8QUC3X8mjPPp11JOwz1YYli6guniqd1SDDSt3jggS9ipQmP+ggkwsnXRwGRNtOwNTznWDY4QylK9GyfknA51SBxLAj+QBsZJesQ2f+myQf+X2GPjYTby8/IaujyjjSlf5Ht4YqvqIMMY6XIxlxMZuXo/XTc5O/Nn8Et8Z+VfZjC5uomiwmKjbHkXUFYx637dK7QxUMAOqQVmt9Xn9JyZmy0bbE7FnpHdEeZHCvlgB2Irnne3nAMHi1e3T0CIk9v316AY8MIybweqhLgP7dlydbqPnn4odKvWE164PcppWeIcx7cAbvdGr+QvqoDtQA4b3Ne299sW2cWLpEADlMSjxYpz9uLV6KtAmr0QvFXakQZPzPWHK0cIn63K2lrF5c4K6zJhm0oRwk/oinJy5SwVLTIsKSFttqFv7xM6Z/VlK98f19tm0Zcl3GAvghDR4p2ilIguzJn67dKSsW4mPwcATQIr9dTqkQ/O0oct8efOSl/TaskvcoSiFRYI2/hEgc8xgmYUiHnOQjB/VNUXEBupiq4= Number of files that were processed is: 425

Emails

potentialenergy@mail.ru

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Client-2.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	Client-2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2776	sc.exe
2592	sc.exe
4952	sc.exe
3428	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7068	cmd.exe
7148	PING.EXE

Kills process with taskkill 47 IoCs

evasion

pid	Process
3836	taskkill.exe
2792	taskkill.exe
1980	taskkill.exe
1956	taskkill.exe
2684	taskkill.exe
2412	taskkill.exe
5048	taskkill.exe
3144	taskkill.exe
1388	taskkill.exe
4420	taskkill.exe
228	taskkill.exe
4764	taskkill.exe
4664	taskkill.exe
1948	taskkill.exe
2244	taskkill.exe
2840	taskkill.exe
2296	taskkill.exe
1152	taskkill.exe
3556	taskkill.exe
3044	taskkill.exe
3948	taskkill.exe
1464	taskkill.exe
2844	taskkill.exe
4108	taskkill.exe
1896	taskkill.exe
4804	taskkill.exe
4600	taskkill.exe
2628	taskkill.exe
2252	taskkill.exe
1880	taskkill.exe
824	taskkill.exe
220	taskkill.exe
5028	taskkill.exe
4800	taskkill.exe
2584	taskkill.exe
1836	taskkill.exe
3844	taskkill.exe
3592	taskkill.exe
2804	taskkill.exe
920	taskkill.exe
556	taskkill.exe
532	taskkill.exe
3700	taskkill.exe
3212	taskkill.exe
3028	taskkill.exe
1456	taskkill.exe
2512	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
7032	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7148	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe
3256	Client-2.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	Client-2.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3212	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3256	Client-2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3256	Client-2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 2592	3256	Client-2.exe	83
PID 3256 wrote to memory of 2592	3256	Client-2.exe	83
PID 3256 wrote to memory of 3616	3256	Client-2.exe	84
PID 3256 wrote to memory of 3616	3256	Client-2.exe	84
PID 3256 wrote to memory of 2776	3256	Client-2.exe	86
PID 3256 wrote to memory of 2776	3256	Client-2.exe	86
PID 3256 wrote to memory of 3428	3256	Client-2.exe	87
PID 3256 wrote to memory of 3428	3256	Client-2.exe	87
PID 3256 wrote to memory of 4952	3256	Client-2.exe	88
PID 3256 wrote to memory of 4952	3256	Client-2.exe	88
PID 3256 wrote to memory of 920	3256	Client-2.exe	93
PID 3256 wrote to memory of 920	3256	Client-2.exe	93
PID 3256 wrote to memory of 4420	3256	Client-2.exe	94
PID 3256 wrote to memory of 4420	3256	Client-2.exe	94
PID 3256 wrote to memory of 2512	3256	Client-2.exe	95
PID 3256 wrote to memory of 2512	3256	Client-2.exe	95
PID 3256 wrote to memory of 2684	3256	Client-2.exe	96
PID 3256 wrote to memory of 2684	3256	Client-2.exe	96
PID 3256 wrote to memory of 1896	3256	Client-2.exe	97
PID 3256 wrote to memory of 1896	3256	Client-2.exe	97
PID 3256 wrote to memory of 1956	3256	Client-2.exe	98
PID 3256 wrote to memory of 1956	3256	Client-2.exe	98
PID 3256 wrote to memory of 4108	3256	Client-2.exe	99
PID 3256 wrote to memory of 4108	3256	Client-2.exe	99
PID 3256 wrote to memory of 4764	3256	Client-2.exe	100
PID 3256 wrote to memory of 4764	3256	Client-2.exe	100
PID 3256 wrote to memory of 5028	3256	Client-2.exe	101
PID 3256 wrote to memory of 5028	3256	Client-2.exe	101
PID 3256 wrote to memory of 228	3256	Client-2.exe	102
PID 3256 wrote to memory of 228	3256	Client-2.exe	102
PID 3256 wrote to memory of 3948	3256	Client-2.exe	103
PID 3256 wrote to memory of 3948	3256	Client-2.exe	103
PID 3256 wrote to memory of 220	3256	Client-2.exe	104
PID 3256 wrote to memory of 220	3256	Client-2.exe	104
PID 3256 wrote to memory of 824	3256	Client-2.exe	105
PID 3256 wrote to memory of 824	3256	Client-2.exe	105
PID 3256 wrote to memory of 1880	3256	Client-2.exe	106
PID 3256 wrote to memory of 1880	3256	Client-2.exe	106
PID 3256 wrote to memory of 2628	3256	Client-2.exe	107
PID 3256 wrote to memory of 2628	3256	Client-2.exe	107
PID 3256 wrote to memory of 1464	3256	Client-2.exe	108
PID 3256 wrote to memory of 1464	3256	Client-2.exe	108
PID 3256 wrote to memory of 4804	3256	Client-2.exe	109
PID 3256 wrote to memory of 4804	3256	Client-2.exe	109
PID 3256 wrote to memory of 556	3256	Client-2.exe	110
PID 3256 wrote to memory of 556	3256	Client-2.exe	110
PID 3256 wrote to memory of 2412	3256	Client-2.exe	111
PID 3256 wrote to memory of 2412	3256	Client-2.exe	111
PID 3256 wrote to memory of 4600	3256	Client-2.exe	112
PID 3256 wrote to memory of 4600	3256	Client-2.exe	112
PID 3256 wrote to memory of 4800	3256	Client-2.exe	113
PID 3256 wrote to memory of 4800	3256	Client-2.exe	113
PID 3256 wrote to memory of 2244	3256	Client-2.exe	114
PID 3256 wrote to memory of 2244	3256	Client-2.exe	114
PID 3256 wrote to memory of 3044	3256	Client-2.exe	121
PID 3256 wrote to memory of 3044	3256	Client-2.exe	121
PID 3256 wrote to memory of 2804	3256	Client-2.exe	133
PID 3256 wrote to memory of 2804	3256	Client-2.exe	133
PID 3256 wrote to memory of 1456	3256	Client-2.exe	135
PID 3256 wrote to memory of 1456	3256	Client-2.exe	135
PID 3256 wrote to memory of 1948	3256	Client-2.exe	136
PID 3256 wrote to memory of 1948	3256	Client-2.exe	136
PID 3256 wrote to memory of 2584	3256	Client-2.exe	137
PID 3256 wrote to memory of 2584	3256	Client-2.exe	137

C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2592
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3616
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:2776
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:3428
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4952
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:7032
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7068
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:7148
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
  2⤵
  PID:7092
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6964

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

35.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.56.20.217.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

44.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.56.20.217.in-addr.arpa

IN PTR

Response
DNS

37.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

37.56.20.217.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

35.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

35.56.20.217.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

44.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

44.56.20.217.in-addr.arpa
8.8.8.8:53

37.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

37.56.20.217.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
dc36170b34e3fdcab6be91acd997c371

SHA1
07737dc3fcd8fde52d06a7ce8004702febed4276

SHA256
2b7cd2d63d69beb3bbc1cf6591f6efe53b20815fb6867699ad78d91ca2642621

SHA512
8446b08a0638c87d428c080e4e4d25a3ddaefbb225b2326dda88472589c98f013d759eb63f8fb427cec38b01e9aac882af41a1161dba1b56165e7d3029d43f72

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
d6eaa359a104cb29a999f07f2a1abc77

SHA1
62b1ba4e3918db688447711ba51bd05d92f5c7c1

SHA256
af6af71f25dba7c0425eed752be54c89d84b30285007e76ea47ec19fef88299a

SHA512
82deeb8df7442e4e2a07085b30efe49cee83901ddfe029e54a496dac74bb4738f07941f0fc7fb54de7e6f83d0da694254683beaa0e84725092e48c96b2244890

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[potentialenergy@mail.ru]

Filesize
728KB

MD5
a2dfce841a5574b2fa8e0b98fb475d85

SHA1
bb5291617e838644881fe88f6484f740b1684034

SHA256
c4bb3c11918012ebbd0cd451dc4694d6b2d255bb382836224a38704579bc955f

SHA512
1fdbe3b8ac0ed005196d2b897061511c5f334451484902b1f5643ca5ba33aab46156c2c1cdba095b4730bdb61606f0f9aca69cfa266f765f0968e9b5840a47ef

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
1d11d3581a29b13ca94f4fe8937d3545

SHA1
dc2311f7a29367c6e1ed00eac7937ad376955f95

SHA256
2314e285c3ee577712f8bb64185b5306b03aac3fc3b42ac66e565686b21e4526

SHA512
9ffa7972c19ace5dc95403ad990974d945ccf9d9eed9cb9c04db990cf602c6a4a37753d81752679966f60e3fc9553f3f0aa30ef53a825c7d819a8c3070e576ee

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[potentialenergy@mail.ru]

Filesize
180KB

MD5
66299142c7849a00a930985b4fb78c65

SHA1
7fe93876fdabdb0fbb2732f14836facaf40733e0

SHA256
e5e9a1ab31a010d99bff445b5e611445da095db41ccdf120dd496c319ce2c2ad

SHA512
5ffce56466aae88a609db012a601a3b45ff4fab1ee314aeaea64ea1fb127cf49c14df8bc26b2c151796a4a7e38f802baf77f755f374561ce76e554c7e96816fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyitfw1e.ewk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
73c184738889b61663446960844e46ff

SHA1
5525b199fe2b423bcaea60e3cc8c9d51fe4a8946

SHA256
cddd916cb30487a49af2203ce03fa235a0cb26f8cd0d57e4af52b7296c778e31

SHA512
22ea8787b21958aacf8a68f04d289aa1509914c85d5dc415c43adcca34b7b2640be2e188e48ae5ba8f7b2db57e985caef28ebdc866b0e3d3a6e7705d4cb7d69b

Download Submit
memory/2704-25-0x0000023C66EC0000-0x0000023C66EE2000-memory.dmp

Filesize
136KB

Download
memory/3256-0-0x00007FF8ADDF3000-0x00007FF8ADDF5000-memory.dmp

Filesize
8KB

Download
memory/3256-281-0x00007FF8ADDF3000-0x00007FF8ADDF5000-memory.dmp

Filesize
8KB

Download
memory/3256-296-0x00007FF8ADDF0000-0x00007FF8AE8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-2-0x00007FF8ADDF0000-0x00007FF8AE8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-1-0x0000000000100000-0x000000000011A000-memory.dmp

Filesize
104KB

Download
memory/3256-532-0x00007FF8ADDF0000-0x00007FF8AE8B1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.