hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

max time kernel
150s
max time network
212s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: ItEqJIJLCcOOloI9ko3ajk5TwMUtzOvDdcxDXWbo2PDb5wTboO2YTr1KlB44D/kFnTsn9rdqO3FL4p0iN/ZNJpk3eTVOgBblE1cO4UFvEsLKYhdmlYQWtUtOFqp9w2gHtooC8RvbKwOGt827W8zF0DwgwThTbbiz8d2iA2nYEl9jXvzZYgSZkFI3TpBnxzNHOFl5YbD1G6+AQl9BNDKIxpxOVxNIxEgDpp9424OkLamzC+2xIdhAzg372z0qJvJ3LYJUbVNiNgQl8JTT3Ani1vQKUsYyhSQRvcaYUUiYNvfIUf86AcZLvQPD3IHYWqVXeOtAx3YeRjBvnHPPVpdnTwoHt8e8dyZ1AXc+2I4O36pd75U8OotFwzZthSuMLQytLWCwv85U3gohMIwW6AQJ9PZifMzo1cKKJqDigZN47xQ5tMTlAAq8Y3W56xU3pEveQIaZsD7AllbCrXOXKuwxCIN4UP08Z9zV6VWm/IJSpEhZFl1NKOANPeAp8TxCtNvfipNa2pd+u+jM0ne/xH6l1jyJ8bSYZhf6fcHODWtXYFBtYixTZfrBAvsgoru9b0HpAxGkPJCGi/AlZjXYupzKgnnBIttJzkoqzy1oky6P2oAy3Yrao9/VbHoupGhXM7NZEIPDDjxq1kMYwCyERxa2IsbycUAAaX5p+HqAVoqzLa4= Number of files that were processed is: 418

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1724	sc.exe
2428	sc.exe
2704	sc.exe
4004	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3240	cmd.exe
4360	PING.EXE

Kills process with taskkill 47 IoCs

evasion

pid	Process
2100	taskkill.exe
4404	taskkill.exe
4260	taskkill.exe
3840	taskkill.exe
4704	taskkill.exe
4596	taskkill.exe
2708	taskkill.exe
5092	taskkill.exe
4160	taskkill.exe
1016	taskkill.exe
4856	taskkill.exe
4636	taskkill.exe
4040	taskkill.exe
4680	taskkill.exe
1652	taskkill.exe
3672	taskkill.exe
4064	taskkill.exe
4756	taskkill.exe
2616	taskkill.exe
2500	taskkill.exe
4716	taskkill.exe
4780	taskkill.exe
2060	taskkill.exe
2848	taskkill.exe
1852	taskkill.exe
692	taskkill.exe
4032	taskkill.exe
2316	taskkill.exe
812	taskkill.exe
2244	taskkill.exe
4116	taskkill.exe
4200	taskkill.exe
4556	taskkill.exe
1888	taskkill.exe
4800	taskkill.exe
4564	taskkill.exe
760	taskkill.exe
3636	taskkill.exe
3136	taskkill.exe
4916	taskkill.exe
3300	taskkill.exe
2400	taskkill.exe
4348	taskkill.exe
3152	taskkill.exe
376	taskkill.exe
3044	taskkill.exe
988	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6004	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4360	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	3576	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1724	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 556 wrote to memory of 1724	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 556 wrote to memory of 2428	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 556 wrote to memory of 2428	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 556 wrote to memory of 4004	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 556 wrote to memory of 4004	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 556 wrote to memory of 2704	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 556 wrote to memory of 2704	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 556 wrote to memory of 4800	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 556 wrote to memory of 4800	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 556 wrote to memory of 4260	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 556 wrote to memory of 4260	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 556 wrote to memory of 4404	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 556 wrote to memory of 4404	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 556 wrote to memory of 2100	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 556 wrote to memory of 2100	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 556 wrote to memory of 2500	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 556 wrote to memory of 2500	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 556 wrote to memory of 2616	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 556 wrote to memory of 2616	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 556 wrote to memory of 3044	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 556 wrote to memory of 3044	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 556 wrote to memory of 2244	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 556 wrote to memory of 2244	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 556 wrote to memory of 5092	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 556 wrote to memory of 5092	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 556 wrote to memory of 2400	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 556 wrote to memory of 2400	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 556 wrote to memory of 692	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 556 wrote to memory of 692	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 556 wrote to memory of 4756	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 556 wrote to memory of 4756	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 556 wrote to memory of 1852	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 556 wrote to memory of 1852	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 556 wrote to memory of 3152	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 556 wrote to memory of 3152	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 556 wrote to memory of 3300	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 556 wrote to memory of 3300	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 556 wrote to memory of 4040	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 556 wrote to memory of 4040	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 556 wrote to memory of 2708	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 556 wrote to memory of 2708	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 556 wrote to memory of 4596	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 556 wrote to memory of 4596	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 556 wrote to memory of 4032	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 556 wrote to memory of 4032	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 556 wrote to memory of 3496	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 556 wrote to memory of 3496	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 556 wrote to memory of 1888	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 556 wrote to memory of 1888	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 556 wrote to memory of 4704	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 556 wrote to memory of 4704	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 556 wrote to memory of 2848	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 556 wrote to memory of 2848	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 556 wrote to memory of 812	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 556 wrote to memory of 812	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 556 wrote to memory of 2060	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 556 wrote to memory of 2060	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 556 wrote to memory of 3136	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 556 wrote to memory of 3136	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 556 wrote to memory of 4780	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	133
PID 556 wrote to memory of 4780	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	133
PID 556 wrote to memory of 4556	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	134
PID 556 wrote to memory of 4556	556	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	134

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1724
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4004
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:6004
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3240
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4360
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:2564
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
4ed3c658cc0f879bc4afef979f86b481

SHA1
bcbffcf448316aa060710110214d08d66737ee63

SHA256
9389ff215dfc3f46816dbbf41fbf9f3d939ba8606061630e118a19633a6aee3e

SHA512
593058e7267013452c342be867db5416a4f4106549aad7f3023115cbf39587cb6c55dad30f73ca8d036712df24e3052c148f229e3ff58f79efa7d57e1f034f11

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
6d53758495f19d6bea057c7bdd94833c

SHA1
a3d3a656465e126299631f3e7e2f2c0ff370abc8

SHA256
db0c241ca3f084342a575792fc78f1aab32a53c1dc346fdc28c4f7c788fb79d9

SHA512
a04573ab493154fbde01d47ef6d38a313dbbfe3da7b854cc623a45cd4dbe927a801f2e79e24d699567ca3f8dfd68d529740965ae68da76cefeb9b67554b8a9f6

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
4fe7d9ec77c61648aa3f9d990a3f5b16

SHA1
6f4c5e9101542f5c08f7b450eb646ec90281a5ea

SHA256
0a7cbf4f9c7c80104a62dff7c1ed20ece88bd7808c73204bdf5c09a1236b9f24

SHA512
2d2fd10090b893f7c4b9e8c583d57cf07d83060865b500b9c7be0ce79bfff5c16ffb2e4c793cb2eb35581fcb4084414b85c919210feab783c993afe8a6fc41f9

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
2ad65fee9259e22edd42531288f0e2f4

SHA1
729378b56f9375b195d2b10531aaea4930928c90

SHA256
cdcfe7bf261d4e515806df5869997316fc8c9260877c2bef6712962c35712a9b

SHA512
c68234622e7a2e0d3e3e27e9e88f6ddb4b041a6a20221c6f9e7afd3f0a6d4e6c19dfa77e06fffa6753caf8b15eaceb9262b7ca9097f331117609af0c72469501

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
a4ec787881830ec99d659a3a6d275d51

SHA1
f39aeb3f1774fc665083d40f6b42c00de45bf10c

SHA256
4f9f2750c8fe5dbe4c5f36bf40638cc7d2bce1652b0b285b9666480e8ecbfeb5

SHA512
f9feb6447e24825cb57856d8e16dba4d9fe04e5b5f6df1c4b9f7a74e123b2c111d57be2a6b9d7e7268b570cfb4fd9f4847254ee0841331f5a794e54211e0c9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
732302aa425042c6ef1207597c2b38a2

SHA1
03cba957317675135575f83a18069f9548050907

SHA256
7637b3892ff330b12e7e5eeac7e625b77ce60c013ff45799e4617c1817e26785

SHA512
5cd905b3a8e553dbcb6ef662097215f5275a7f2fb7e1486eeeed8b7b0bf894a88607e5768169eece65f04e89a6e85deea8706a46b00a1be78f8e221878788b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqnpbfr5.weg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
2c9e83e38e1d14e6983dbace72082856

SHA1
e4b70aafd442ad99e841a64306c22b1875422ff5

SHA256
56cbe293ec0d9b21a14fb3fa07ecdcb9dd6618758fe510dac5ba59f595488a68

SHA512
1c11f431018921764a230b73abdc68c84ee2f5986c67e7b42446115b4fb74f6512c92adde393a46210381b6b093fd33e2f1ef3cac535faea0a5da0c9d9e6dbac

Download Submit
memory/556-0-0x00007FF992613000-0x00007FF992615000-memory.dmp

Filesize
8KB

Download
memory/556-3-0x00007FF992610000-0x00007FF9930D2000-memory.dmp

Filesize
10.8MB

Download
memory/556-329-0x00007FF992613000-0x00007FF992615000-memory.dmp

Filesize
8KB

Download
memory/556-349-0x00007FF992610000-0x00007FF9930D2000-memory.dmp

Filesize
10.8MB

Download
memory/556-1-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/556-531-0x00007FF992610000-0x00007FF9930D2000-memory.dmp

Filesize
10.8MB

Download
memory/3576-26-0x00000226B4830000-0x00000226B4852000-memory.dmp

Filesize
136KB

Download