hakbit | 69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: te5s2xJmRir0vkfsc//vWJWBUjlxkIP35D8I+f31kkMhqQJOJvOXYcCFu3MgAh16rXBgihZg85KMSze1Bukr7CC7l/brHFguVyR84IGbk3571Bvc7sj7MDpGBu8nSQ42Q7ujEGfrUxowmLK8HlgNa6d7I0sSOzBANTsI0UYFuECa0PEmM9dNTshEKulk2QU282Y7hLEW30t7RchxVo/piM8iVWFBB1vaeRmEkYo26hDsmLK+8G44LMplLDKsMtqXG4rH3tMnRiP17sa12QyFtetK6l7NOZ3RfpJp/9DmUfKmj4KHIc/Rxuln2EW86rXRpUn2IpBad3eUrr5xbzI9cmR8gUFuiOivditrBqWKtimk+f0GHA4cIlLtbAgu9PKldYHo0nkw7tjAu9B4YJPZ2+pE8LTUmjlN1R2fplZqb+xL00hfFylULpHvP0Jk0sS0T06WE/GMJqgsMdZBIomeMRSGhyU3RpFOmKM/5H7dkTaSYGBNmAEN7fTaLXiQ3PwG27BLdLTF9Jy0TzqSg/zYfiYhTjyCM9rqE09w7S8VsGo3L9p41wXJePHHlGAXrzMCuhWymgV4qEGYTuIt9ZpVaH0CyspEMtWVBBy397Vl5BaZN8SbTeUbFnnbbtrY5TQJ2JO+m4eReGz+uy8msSc8dk4ABIT+c2Uy7/LWgr4Noh8= Number of files that were processed is: 448

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4664	sc.exe
1428	sc.exe
1764	sc.exe
1140	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6300	cmd.exe
6368	PING.EXE

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
3876	taskkill.exe
4084	taskkill.exe
3700	taskkill.exe
5044	taskkill.exe
4304	taskkill.exe
1112	taskkill.exe
2804	taskkill.exe
1616	taskkill.exe
4780	taskkill.exe
4592	taskkill.exe
2636	taskkill.exe
2192	taskkill.exe
5064	taskkill.exe
4000	taskkill.exe
4720	taskkill.exe
3128	taskkill.exe
1184	taskkill.exe
4612	taskkill.exe
4988	taskkill.exe
3200	taskkill.exe
1972	taskkill.exe
2800	taskkill.exe
1648	taskkill.exe
1932	taskkill.exe
2444	taskkill.exe
2248	taskkill.exe
1608	taskkill.exe
4820	taskkill.exe
3392	taskkill.exe
916	taskkill.exe
4448	taskkill.exe
3516	taskkill.exe
2132	taskkill.exe
3596	taskkill.exe
4320	taskkill.exe
3572	taskkill.exe
320	taskkill.exe
4228	taskkill.exe
3692	taskkill.exe
3960	taskkill.exe
3308	taskkill.exe
3028	taskkill.exe
4512	taskkill.exe
2748	taskkill.exe
4600	taskkill.exe
2760	taskkill.exe
2864	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2236	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6368	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4512	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	4556	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 1764	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 4596 wrote to memory of 1764	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 4596 wrote to memory of 1428	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 4596 wrote to memory of 1428	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 4596 wrote to memory of 4664	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 4596 wrote to memory of 4664	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 4596 wrote to memory of 1140	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4596 wrote to memory of 1140	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4596 wrote to memory of 3596	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 4596 wrote to memory of 3596	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 4596 wrote to memory of 4592	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4596 wrote to memory of 4592	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4596 wrote to memory of 3392	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 4596 wrote to memory of 3392	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 4596 wrote to memory of 5044	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4596 wrote to memory of 5044	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4596 wrote to memory of 3200	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 4596 wrote to memory of 3200	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 4596 wrote to memory of 4820	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4596 wrote to memory of 4820	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4596 wrote to memory of 2800	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 4596 wrote to memory of 2800	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 4596 wrote to memory of 3700	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4596 wrote to memory of 3700	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4596 wrote to memory of 4084	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 4596 wrote to memory of 4084	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 4596 wrote to memory of 3876	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4596 wrote to memory of 3876	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4596 wrote to memory of 1608	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 4596 wrote to memory of 1608	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 4596 wrote to memory of 4780	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4596 wrote to memory of 4780	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4596 wrote to memory of 4720	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 4596 wrote to memory of 4720	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 4596 wrote to memory of 1616	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 4596 wrote to memory of 1616	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 4596 wrote to memory of 1972	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 4596 wrote to memory of 1972	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 4596 wrote to memory of 2132	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 4596 wrote to memory of 2132	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 4596 wrote to memory of 2248	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 4596 wrote to memory of 2248	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 4596 wrote to memory of 1320	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 4596 wrote to memory of 1320	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 4596 wrote to memory of 4304	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 4596 wrote to memory of 4304	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 4596 wrote to memory of 320	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 4596 wrote to memory of 320	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 4596 wrote to memory of 3128	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 4596 wrote to memory of 3128	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 4596 wrote to memory of 1932	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 4596 wrote to memory of 1932	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 4596 wrote to memory of 3572	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 4596 wrote to memory of 3572	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	132
PID 4596 wrote to memory of 1648	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	133
PID 4596 wrote to memory of 1648	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	133
PID 4596 wrote to memory of 3028	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	134
PID 4596 wrote to memory of 3028	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	134
PID 4596 wrote to memory of 2864	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	141
PID 4596 wrote to memory of 2864	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	141
PID 4596 wrote to memory of 2804	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	143
PID 4596 wrote to memory of 2804	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	143
PID 4596 wrote to memory of 3308	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	144
PID 4596 wrote to memory of 3308	4596	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	144

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:1764
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:1428
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4664
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1140
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2236
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6300
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6368
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:6596
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
acab1fe472642578bb4345f56948328c

SHA1
621e1a1bf73834e30fa7cf118f30e69a8dbcc95d

SHA256
a3c449d565e807ea8a60d2cdc1a9f1eb766c81c5d50458671b349cb969f47556

SHA512
8792700ea45d84d53c3d4c928a2186fba7cbfda0cd9a2cdd19585724f31e7010e0cf0760b53b331edc6ca3556a7f81305e41dd967e04bbdd43d896f990f1bd95

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
21a607d4f898122f5b3421e5c9b02ce7

SHA1
54feb88ad61838d94111672e79bb40a208c82b68

SHA256
0eaf0d62873a436f053ecee228d9574778a159eb61999c6634f4e57282a3231d

SHA512
3cc777593fe29c654ae0c52d26ca750598ff9731129c45573d1c81048aeb210d6ab92bd6b7fc083acc6d23804113ac30e6861904940ea25321bfa899658bd62b

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
ffdf2aa77107c349fc0099bd173cddba

SHA1
09a00932487574eec14508c62986e6495187ba51

SHA256
811b305f986549a67f6e203c09d46bff7c94b193a9b65868f734e4f91fc03429

SHA512
fb5d50a8cecba1071823df7354b9de0c1d82172b51931e3608c5ceaf7a9e56362997a55615646f1731ed9836438fc19917725c90cd2136370eea17fa01617259

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
b5958ddbc7dfcd0c43a6be7e1f918f5d

SHA1
3f0f2062b28fe6e8df11cdcd166ac9b8896fe94b

SHA256
32f48b9dca71f8b75ad87141ab826799e51ae7d01a539312a9fcd606726ad857

SHA512
4e4816cc57e509161baca52188a306e2abdca94a23529fb35116fc9d54e3fbe413a98b3559066f93c29bd3b5418158715cac0f213688b56ad6092f204e9a1c44

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
17f2fb245e25f26414686f1fba65312d

SHA1
5ae31dfd4b32be8e63c46e0e1d60570fb3b9001c

SHA256
45fbad0bfa527c851d173c449c2ace4fcdcd95e6aa8a19da63e64e00b8ecbc4e

SHA512
eafc964ea7634b2f3cd6efff82974777cfa944242c587f427af76e868cc892e6e5c32100fff9128c55731e27266e98bf9f5e12d6a761e452c5541674314fb2c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0e3b2fb1305afa355fb0585c068cdbbd

SHA1
b4e9457bfdc38337f64e3b2606aa34861aa6b4ed

SHA256
43a303fed06d5928800280cb0bf716790d9f886c87f26faf9fbdfa59b55e9c0d

SHA512
6a754dbb33c549ace5f71e169511422284f688c9df1c1e5fac8a633feac24312ba39fa4c682bdc9fe1d1162e2a3bd6190013652e567909417579db4b8791554d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a53fcd7ca5f768ef5b87edc8ff9274aa

SHA1
cf5838b36607558f3f25ca29921c523ad9cda3f9

SHA256
2366de0b561dd9d45362c9fca44eb0aae96766fb55848b63f29f599d6cef7d99

SHA512
c642f4c3d12e8abf4c29141a068c9c93a7e8cca4442ffbaca037362b517abf55d9fc69b1653c63c8a07d3f17f159839f60912d7d0fef760a0a2770fb0d093fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yq5sgbzu.eny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
fc7bdf55a82a388661d406ed1f08f778

SHA1
c81989aa722f140ff40b78dc2880794053ab0b8e

SHA256
4c19a3a4cf06296272fe9a70f53cd856dcd6c1fecd960bab96351ededb7c7ff1

SHA512
7783cc28e4a69337323e893da190fd9574890838de3493d0c32222241c39ceb242ff77225d222842dd3c834deb251b39980deedddfb401d06014767567c9abf0

Download Submit
memory/4556-16-0x0000019269E20000-0x0000019269E42000-memory.dmp

Filesize
136KB

Download
memory/4596-141-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

Filesize
8KB

Download
memory/4596-153-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/4596-0-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

Filesize
8KB

Download
memory/4596-3-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/4596-1-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/4596-553-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download