hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

17-01-2025 20:27

250117-y8gzsasjhw 10

17-01-2025 10:48

250117-mv59nsvlbr 10

14-12-2024 07:51

241214-jqcj1sxnhr 10

11-12-2024 15:39

241211-s3498stkar 10

Analysis

max time kernel
139s
max time network
128s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access discovery evasion execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: JIHn5tRp0vKjIk/wYALSttdnuaNGE/8mBHuhPyZ/ie1E/4aGCxfibLuMepJkMu630yO8PkWsPwZPL05uQQ+VjaOi2ALsjTgqWXwvkXkkF9LwAJnH2d/YP6Oc5nGAdxLWfcqXtLDmkYU3fAb2GxJRkgkoVP4ccw25Axz4svfPr86CGoVwjbGMCYKY8f2iyUs1GlGzjy0jR3gn41i6YvpfV4v33wnXg8Ym3uoELvYmTctvwmr/6ehKHWYqSN4fhjvJMSBcVYQ61kuHekEpPj8DIw4U7L2hG+eq5YlIxIilFLswBJ/YYp78rSdUJ2BCHbOl7YJ8r/yh+Hl39043fyVwgnbsyVeNCC+inJ5CD8G/qCQlexDFQqD83dlzQzyCgaoAFYgwkFLqdJt4VxSq6cZ9Ke3BCMaXtk6ydoXIcxRF+zsTkbOzFjLM2S6xcwyJlESAZG9nMvyGUM3NSjL1MEectTBWVbS/dqO8TuJuQIpAMklk5gq6PoM2MJ6zXwcPxln5bhwqaQMYRtFHOC1mi/iWeTGkJGafdi3zqzGA8cCK16umE+EQFPKhtDWIRiwumqaRzp8PFCEYnbF2HGveZPejsgcZevhw6mVxxXYZCBoXAmNvTUKZYt1JqSAl9+jFleTvuGFNRRQ735rwY+46zGaJ9l+HJbDL8l/crTzpUHmYCcc= Number of files that were processed is: 444

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1944	sc.exe
4296	sc.exe
4760	sc.exe
2816	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1204	cmd.exe
6592	PING.EXE

Kills process with taskkill 47 IoCs

evasion

pid	Process
4504	taskkill.exe
2704	taskkill.exe
1760	taskkill.exe
3320	taskkill.exe
2564	taskkill.exe
4288	taskkill.exe
4736	taskkill.exe
2844	taskkill.exe
1636	taskkill.exe
4856	taskkill.exe
2892	taskkill.exe
1784	taskkill.exe
792	taskkill.exe
4864	taskkill.exe
4036	taskkill.exe
3832	taskkill.exe
4172	taskkill.exe
4392	taskkill.exe
4708	taskkill.exe
700	taskkill.exe
2800	taskkill.exe
2680	taskkill.exe
1396	taskkill.exe
2772	taskkill.exe
2828	taskkill.exe
3752	taskkill.exe
3400	taskkill.exe
5104	taskkill.exe
4624	taskkill.exe
4716	taskkill.exe
3460	taskkill.exe
2180	taskkill.exe
4748	taskkill.exe
1680	taskkill.exe
4244	taskkill.exe
1972	taskkill.exe
4732	taskkill.exe
1748	taskkill.exe
2016	taskkill.exe
2344	taskkill.exe
3276	taskkill.exe
1592	taskkill.exe
3312	taskkill.exe
760	taskkill.exe
4416	taskkill.exe
3056	taskkill.exe
3664	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4428	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	3664	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	3084	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2816	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 228 wrote to memory of 2816	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 228 wrote to memory of 4760	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 228 wrote to memory of 4760	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 228 wrote to memory of 4296	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 228 wrote to memory of 4296	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 228 wrote to memory of 1944	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 228 wrote to memory of 1944	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 228 wrote to memory of 2180	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 228 wrote to memory of 2180	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 228 wrote to memory of 1972	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 228 wrote to memory of 1972	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 228 wrote to memory of 3664	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 228 wrote to memory of 3664	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 228 wrote to memory of 4244	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 228 wrote to memory of 4244	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 228 wrote to memory of 4504	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 228 wrote to memory of 4504	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 228 wrote to memory of 4288	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 228 wrote to memory of 4288	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 228 wrote to memory of 3168	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	188
PID 228 wrote to memory of 3168	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	188
PID 228 wrote to memory of 1636	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 228 wrote to memory of 1636	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 228 wrote to memory of 2564	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 228 wrote to memory of 2564	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 228 wrote to memory of 3056	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 228 wrote to memory of 3056	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 228 wrote to memory of 4036	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 228 wrote to memory of 4036	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 228 wrote to memory of 4416	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 228 wrote to memory of 4416	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 228 wrote to memory of 2772	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 228 wrote to memory of 2772	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 228 wrote to memory of 3460	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 228 wrote to memory of 3460	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 228 wrote to memory of 3320	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 228 wrote to memory of 3320	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 228 wrote to memory of 1396	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 228 wrote to memory of 1396	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 228 wrote to memory of 2680	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 228 wrote to memory of 2680	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 228 wrote to memory of 4864	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 228 wrote to memory of 4864	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 228 wrote to memory of 792	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 228 wrote to memory of 792	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 228 wrote to memory of 2800	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 228 wrote to memory of 2800	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 228 wrote to memory of 700	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	116
PID 228 wrote to memory of 700	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	116
PID 228 wrote to memory of 1784	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 228 wrote to memory of 1784	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 228 wrote to memory of 4716	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 228 wrote to memory of 4716	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 228 wrote to memory of 4708	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 228 wrote to memory of 4708	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 228 wrote to memory of 4392	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 228 wrote to memory of 4392	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 228 wrote to memory of 2892	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 228 wrote to memory of 2892	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 228 wrote to memory of 1760	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 228 wrote to memory of 1760	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 228 wrote to memory of 760	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 228 wrote to memory of 760	228	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4760
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3168
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4428
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1204
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6592
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:2612
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
2125238333fc62c93afbab199eaaa154

SHA1
fd8fc23c71622ca8c812898d2df8b2c13e0f8b38

SHA256
2c0bcdcc25ecf257dd50a7162343f0a53434f49272db72ef20115800f8a1f12b

SHA512
31b4ce66da281f18be6e1fa88f8782fa724bfcf6c452a01902f0a467f460f6882ad81cefa8519ff3fb48a8f3b6d5badc3e16aa18e7d5c22a4442aa70c3238f4d

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
65a403cff5045e171e6bb4c756c254db

SHA1
c64396d08a6a0d96fbf64950dfaa834bd74eaad8

SHA256
53f0e6f21b6426eace6e4ca66db8e1b12b34a25700274a46d3ddc5d1b955378a

SHA512
303afe9c4ad627de27799f3c7443425b9aa9ec8f9d7f0c0fd2ce699e3b2a81cca14df136ea076c1a6e665f66cb117663e0cd80662ac5f0bf6e1ca331c4313087

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
63e859e9216e332d04131751d74983de

SHA1
b209ea0cd2784bd8ae1e0278bc1d3fc090116d82

SHA256
aba0934f323269201f2b6fff4b403afe0299b7841e9377077c51e63c01bff399

SHA512
0fbfb3096b949c2cb08a07bfc74362f3e26c89c4ebd0469810cb264d54f36e0837dcf28b2baacfa399666565330ae77e54eafee7b31f9521bc27266bf3f878fb

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
3364400ac0f22120b6fae847f80635e8

SHA1
5156e4fa25c4437706d4689538609e4e4577cee6

SHA256
5b74e2a7f42aef792e759174363410ebb59743b331a26b0f75d44bb914d5ba00

SHA512
4eff9397cc05ab53e2b5acf13143c3133d1562db2ee755d1039d646d674b52043e356215c6a38aaeb49f46ac442d0d4cc66d6bc50f198f7b700a737ca2983702

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
3cb8b189d947153e3bf4457f2770ec78

SHA1
f4205906d64791055d7e66a7b3a98991a96111ab

SHA256
f05d1f4a92177c9eb395f678b48e44b3a0a1de071fdf78a2423cf75e5f942a24

SHA512
77dffd1baefa4286a23a2484c750eb41183d2bc7a51d3059c9474fa48b9671654629d97621dbf0c418bd26ff123e5f75f1b43114ef7af9a6f9ea4c5ea687017b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28bd37b1c2c4aa1279b13dfde5afc05a

SHA1
45514aa393e68144c0483e977e21dbafe318a560

SHA256
a5793c71134a44cd641b16ad71ba1d3e2bf6d2e2abc38a1b0304d7a55b1f1b42

SHA512
4bc58ce55e5450bda26094f151f9f13f45fffd6f1bfdc131344b9bfb6fa70ede399230f2bebd408f40da68affd8ed083aa4b4ced242ea522aace4b822ec45615

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0nautdyv.jtb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
67345b85017b91d07654ec23511b49fc

SHA1
c08dce10fa783d575b75620054667ee913970942

SHA256
bf1848ea61b8cb7a426742da62ccf7c77d534910ccf65e6f2131703ffc6b9e6a

SHA512
48f9f6f47823a16b297807594cf85aae264895c8ac9d5508d022fcf2d17e3f69e759c8ea7debf98f177dc2bb84233a54b427f4838e290f2ab8fb98503aa7cf5c

Download Submit
memory/228-345-0x00007FFF05110000-0x00007FFF05BD2000-memory.dmp

Filesize
10.8MB

Download
memory/228-228-0x00007FFF05113000-0x00007FFF05115000-memory.dmp

Filesize
8KB

Download
memory/228-0-0x00007FFF05113000-0x00007FFF05115000-memory.dmp

Filesize
8KB

Download
memory/228-2-0x00007FFF05110000-0x00007FFF05BD2000-memory.dmp

Filesize
10.8MB

Download
memory/228-1-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

Filesize
104KB

Download
memory/228-562-0x00007FFF05110000-0x00007FFF05BD2000-memory.dmp

Filesize
10.8MB

Download
memory/3084-36-0x0000024CFC470000-0x0000024CFC492000-memory.dmp

Filesize
136KB

Download