Overview
overview
10Static
static
10Archive.zip
windows10-1703-x64
1Dropper/Berbew.exe
windows10-1703-x64
10Dropper/Phorphiex.exe
windows10-1703-x64
10out.exe
windows10-1703-x64
3RAT/31.exe
windows10-1703-x64
10RAT/XClient.exe
windows10-1703-x64
10RAT/file.exe
windows10-1703-x64
7Ransomware...-2.exe
windows10-1703-x64
10Ransomware...01.exe
windows10-1703-x64
10Ransomware...lt.exe
windows10-1703-x64
10Stealers/Azorult.exe
windows10-1703-x64
10Stealers/B...on.exe
windows10-1703-x64
10Stealers/Dridex.dll
windows10-1703-x64
10Stealers/M..._2.exe
windows10-1703-x64
10Stealers/lumma.exe
windows10-1703-x64
10Trojan/BetaBot.exe
windows10-1703-x64
10Trojan/Smo...er.exe
windows10-1703-x64
10Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
440s -
max time network
1583s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
04-09-2024 00:09
Behavioral task
behavioral1
Sample
Archive.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
RAT/XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
RAT/file.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Ransomware/Client-2.exe
Resource
win10-20240611-en
Behavioral task
behavioral9
Sample
Ransomware/criticalupdate01.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Ransomware/default.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Stealers/Azorult.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Stealers/BlackMoon.exe
Resource
win10-20240611-en
Behavioral task
behavioral13
Sample
Stealers/Dridex.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
Stealers/lumma.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Trojan/BetaBot.exe
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Trojan/SmokeLoader.exe
Resource
win10-20240404-en
General
-
Target
Ransomware/Client-2.exe
-
Size
80KB
-
MD5
8152a3d0d76f7e968597f4f834fdfa9d
-
SHA1
c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
-
SHA256
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
-
SHA512
eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
-
SSDEEP
1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
hakbit
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk Client-2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 544 sc.exe 3236 sc.exe 5036 sc.exe 4388 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4248 cmd.exe 5248 PING.EXE -
Kills process with taskkill 47 IoCs
pid Process 1224 taskkill.exe 2916 taskkill.exe 3196 taskkill.exe 32 taskkill.exe 4600 taskkill.exe 2196 taskkill.exe 4440 taskkill.exe 4032 taskkill.exe 1704 taskkill.exe 2152 taskkill.exe 5028 taskkill.exe 4448 taskkill.exe 2956 taskkill.exe 5032 taskkill.exe 5000 taskkill.exe 4080 taskkill.exe 2296 taskkill.exe 340 taskkill.exe 220 taskkill.exe 388 taskkill.exe 3092 taskkill.exe 208 taskkill.exe 1924 taskkill.exe 3724 taskkill.exe 3904 taskkill.exe 4576 taskkill.exe 1836 taskkill.exe 1792 taskkill.exe 1232 taskkill.exe 1980 taskkill.exe 1384 taskkill.exe 4644 taskkill.exe 2444 taskkill.exe 3412 taskkill.exe 164 taskkill.exe 3716 taskkill.exe 4980 taskkill.exe 4768 taskkill.exe 1456 taskkill.exe 4688 taskkill.exe 2456 taskkill.exe 4428 taskkill.exe 5004 taskkill.exe 460 taskkill.exe 5080 taskkill.exe 3328 taskkill.exe 2304 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2164 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5248 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe 5020 Client-2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 5020 Client-2.exe Token: SeDebugPrivilege 4980 taskkill.exe Token: SeDebugPrivilege 5004 taskkill.exe Token: SeDebugPrivilege 1384 taskkill.exe Token: SeDebugPrivilege 4644 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 2456 taskkill.exe Token: SeDebugPrivilege 5080 taskkill.exe Token: SeDebugPrivilege 3904 taskkill.exe Token: SeDebugPrivilege 164 taskkill.exe Token: SeDebugPrivilege 340 taskkill.exe Token: SeDebugPrivilege 3716 taskkill.exe Token: SeDebugPrivilege 3724 taskkill.exe Token: SeDebugPrivilege 208 taskkill.exe Token: SeDebugPrivilege 4448 taskkill.exe Token: SeDebugPrivilege 1232 taskkill.exe Token: SeDebugPrivilege 3412 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeDebugPrivilege 3328 taskkill.exe Token: SeDebugPrivilege 2304 taskkill.exe Token: SeDebugPrivilege 4032 taskkill.exe Token: SeDebugPrivilege 220 taskkill.exe Token: SeDebugPrivilege 4440 taskkill.exe Token: SeDebugPrivilege 4576 taskkill.exe Token: SeDebugPrivilege 2916 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 2196 taskkill.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 5032 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 3092 taskkill.exe Token: SeDebugPrivilege 4080 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 460 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 4600 taskkill.exe Token: SeDebugPrivilege 4688 taskkill.exe Token: SeDebugPrivilege 388 taskkill.exe Token: SeDebugPrivilege 4768 taskkill.exe Token: SeDebugPrivilege 5028 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe Token: SeDebugPrivilege 3196 taskkill.exe Token: SeDebugPrivilege 32 taskkill.exe Token: SeDebugPrivilege 2956 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5020 Client-2.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 5020 Client-2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4388 5020 Client-2.exe 70 PID 5020 wrote to memory of 4388 5020 Client-2.exe 70 PID 5020 wrote to memory of 5036 5020 Client-2.exe 71 PID 5020 wrote to memory of 5036 5020 Client-2.exe 71 PID 5020 wrote to memory of 3236 5020 Client-2.exe 72 PID 5020 wrote to memory of 3236 5020 Client-2.exe 72 PID 5020 wrote to memory of 544 5020 Client-2.exe 73 PID 5020 wrote to memory of 544 5020 Client-2.exe 73 PID 5020 wrote to memory of 4980 5020 Client-2.exe 74 PID 5020 wrote to memory of 4980 5020 Client-2.exe 74 PID 5020 wrote to memory of 1384 5020 Client-2.exe 75 PID 5020 wrote to memory of 1384 5020 Client-2.exe 75 PID 5020 wrote to memory of 5004 5020 Client-2.exe 76 PID 5020 wrote to memory of 5004 5020 Client-2.exe 76 PID 5020 wrote to memory of 1232 5020 Client-2.exe 77 PID 5020 wrote to memory of 1232 5020 Client-2.exe 77 PID 5020 wrote to memory of 388 5020 Client-2.exe 78 PID 5020 wrote to memory of 388 5020 Client-2.exe 78 PID 5020 wrote to memory of 5000 5020 Client-2.exe 79 PID 5020 wrote to memory of 5000 5020 Client-2.exe 79 PID 5020 wrote to memory of 2916 5020 Client-2.exe 80 PID 5020 wrote to memory of 2916 5020 Client-2.exe 80 PID 5020 wrote to memory of 5032 5020 Client-2.exe 81 PID 5020 wrote to memory of 5032 5020 Client-2.exe 81 PID 5020 wrote to memory of 1980 5020 Client-2.exe 82 PID 5020 wrote to memory of 1980 5020 Client-2.exe 82 PID 5020 wrote to memory of 2956 5020 Client-2.exe 83 PID 5020 wrote to memory of 2956 5020 Client-2.exe 83 PID 5020 wrote to memory of 4428 5020 Client-2.exe 84 PID 5020 wrote to memory of 4428 5020 Client-2.exe 84 PID 5020 wrote to memory of 4440 5020 Client-2.exe 85 PID 5020 wrote to memory of 4440 5020 Client-2.exe 85 PID 5020 wrote to memory of 2304 5020 Client-2.exe 86 PID 5020 wrote to memory of 2304 5020 Client-2.exe 86 PID 5020 wrote to memory of 5028 5020 Client-2.exe 87 PID 5020 wrote to memory of 5028 5020 Client-2.exe 87 PID 5020 wrote to memory of 3328 5020 Client-2.exe 88 PID 5020 wrote to memory of 3328 5020 Client-2.exe 88 PID 5020 wrote to memory of 3724 5020 Client-2.exe 89 PID 5020 wrote to memory of 3724 5020 Client-2.exe 89 PID 5020 wrote to memory of 164 5020 Client-2.exe 90 PID 5020 wrote to memory of 164 5020 Client-2.exe 90 PID 5020 wrote to memory of 3716 5020 Client-2.exe 91 PID 5020 wrote to memory of 3716 5020 Client-2.exe 91 PID 5020 wrote to memory of 1924 5020 Client-2.exe 92 PID 5020 wrote to memory of 1924 5020 Client-2.exe 92 PID 5020 wrote to memory of 4448 5020 Client-2.exe 93 PID 5020 wrote to memory of 4448 5020 Client-2.exe 93 PID 5020 wrote to memory of 2152 5020 Client-2.exe 94 PID 5020 wrote to memory of 2152 5020 Client-2.exe 94 PID 5020 wrote to memory of 2456 5020 Client-2.exe 95 PID 5020 wrote to memory of 2456 5020 Client-2.exe 95 PID 5020 wrote to memory of 4688 5020 Client-2.exe 96 PID 5020 wrote to memory of 4688 5020 Client-2.exe 96 PID 5020 wrote to memory of 5080 5020 Client-2.exe 97 PID 5020 wrote to memory of 5080 5020 Client-2.exe 97 PID 5020 wrote to memory of 208 5020 Client-2.exe 98 PID 5020 wrote to memory of 208 5020 Client-2.exe 98 PID 5020 wrote to memory of 3412 5020 Client-2.exe 99 PID 5020 wrote to memory of 3412 5020 Client-2.exe 99 PID 5020 wrote to memory of 3092 5020 Client-2.exe 100 PID 5020 wrote to memory of 3092 5020 Client-2.exe 100 PID 5020 wrote to memory of 1792 5020 Client-2.exe 101 PID 5020 wrote to memory of 1792 5020 Client-2.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:4388
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:5036
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:3236
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:544
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:164
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:2152
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:560
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2164
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4248 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5248
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:5904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe2⤵PID:5272
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:5396
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5496b2faafaaf3ff1528393f3dc6fa4fd
SHA1cdb2f286077c1550cb41bbb8475abb3e51aed1e3
SHA25666b67dbf3d91f5ab246bb83b4193cf1d2ce9eaab44f4f1050346c2e40023d5b4
SHA512200ceebdc174b11dd45b3dfa470105287aaecb2cff071dbe9f0d66b6eabb3a42bddab0ea76d9a60b9172cff69f2863b8eb50ca61248acfcaa92cfe2da5def297
-
C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\MasterDatastore.xml.energy[[email protected]]
Filesize272B
MD5df75b403e90db8a1210e4e1bcebd4801
SHA1e2528d118d993325cd085e5f3cdd6ef78bee057c
SHA256c8180a52346c277459a31bac9ebebd8c17f8e18dcb7244b1846ff604f78d07b5
SHA512a6cc0f1b58cf995e73aa9c1d1461884f741c7828e870ce9ff0a581b4e1b4c9ac479e878ac0accaa5bf0907ef3af305ad72d51f790ecbed93607f9982b48eaa53
-
C:\ProgramData\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\MasterDatastore.xml.energy[[email protected]]
Filesize4KB
MD55cc9c204d02aaf07332a2dce3d7b5dd3
SHA1cf723480ce602998db06896bfbbdc3775201b871
SHA256f6f4fdc55f5a2dc53351aec4e03e9b641ef825a9eab349f173c59ad444e4b5cc
SHA512b6acd29c0adce86ddfe12c077564b476b7a6a93f1720f6c2034f9f799f979a6fbebd533c4c51c9422ad1bfcca254d8e27d0be7d094f4349c297ced95e011e758
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\206__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
Filesize480B
MD5e1a1d455164d1f59adbaa43110603f56
SHA1e741613fd4c6b9ef662ca926d1d24efd5bbed79f
SHA2569fc122dd31477da0ff31702b72c43d7a7af36901b31467c6e743634b85f22993
SHA512a3f86a9dec966a25ac47e5dc567ea36db97fa5e1192aa4f3c27624f1f5ea7f41c35dd2bfbf1201f6e09f9e586e56a7a9d623c8c59a93a42e8c1250f1a4e3366d
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
Filesize4KB
MD5d1a5ff666db35775cc2a94ebd76b7c43
SHA14a5649d69fcc2d7d8e10c224c4c9ed092d104934
SHA2564517db13cd0912c214c8cf26bb51618ff3d3e4b7f92686b10d54cebd7fe3c19a
SHA5125860e76d377b17ce39b1c5e271a65d4e514ce4d8f5887d677a83f3172ea0b66ea6c5fb085b5b353c9f6c376849d2d0f0766b238b18f814248282fe8fd5036a5e
-
C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\625__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.energy[[email protected]]
Filesize464B
MD53ac8009a10f10ede3dc55cf3d1cd2164
SHA15e85fe5087a09f37fd3d446965c58925dfe5e640
SHA25610a47346779085e6eddb5fd1e76ec368747d9f9776b49437ae2b14de57f37b39
SHA51238730f5a8efb1c055b8313ffb5a9f99c0c22b4587ec8529381cd936f6bad14ea179a44958977dcc091de9381b4809dc5a11c4c2fd136989eaae525c076b54dda
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
Filesize180KB
MD5d5ea6e994a30ddd361a562bde55e268a
SHA164e065dce749ed67d4a38ffbab81e69d52b33162
SHA2566379e5afccf987d645e259083ba55febe7bee32042c300f696ed1cd575ef0075
SHA5123275f70089095b431959159b09039d4bb54232640af03e8b80550d15559bfcef1054a958a1e0a51e5b452c854c6425ff15b5d3edd4f353ba25df25da83a8e9a8
-
Filesize
2KB
MD5b49a31b6e3a6771dbfa29b309842ef4f
SHA16b837a896a3008be212e7a3e297859b06b1d22af
SHA256066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81
SHA512804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029
-
Filesize
1KB
MD57579bd584c022e0b69d7405416bd8f76
SHA12ea8be6e547b76b33533e857fa175f706d44effd
SHA256fe3945acd804253f129cd58e63f8287bbb6426cb3ce4194ebcddbb7e9c786c74
SHA512b8564aa506a099949432c82dcf90456975914aa42e9aa2922c9d3b7432961b7ac18c716f7046207ceea4481ba5d49b131e8769b8f45622030f29ff2be0139129
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
829B
MD549c7488a8a5a2339a7c6425c4cf0f0da
SHA1926ed55656f18b98738c05d73f899b5c8850dbcd
SHA2568c3ed9f6ba52a5008ca89858a53061c58c003131061d86eddd03fe197e3ec26d
SHA512549a0eff7c02c1e29ce256aac3d91d59b31ee7abe289355f6d944aee8407217c483b1c5bf6efcbb83b6a259b077172e2851ff4bf26aeb3956c0c862090eb08c5