hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

max time kernel
85s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
26/02/2025, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: oIfX2VYK7QJFXujhQvfVnCR8e478Edha/muW4okEW3NpDIz6TxYXYcF4KH2NEQv0ny8r3pp/Uq08yPHVdvg1eBj+6ivgkJYIMq/VhZEfwhFS0jvcVoKdZ34sOkwforREQri3HllR+6fFfzgP6wYQa2BN3cpWu9WBAh++si+lzZUKo2ay1oJSbpqfET4BtPH0Z+66/xTvk1AH76P31WpLzZqgkqjR9xyUhcIYMIDFawQzqrbETNOEh8JEIGbqomRPmc2Zz6pIfBuYwd/MlIba3/lwL6CM/E1Wr9ThYdL0h+HtTnjuS1/SNgrz0rHL17CDmnZnSFGrWYztuYYyqHk7ZLEnPPxm4deklNrG/D2+m6DGwNqut18EAi2/Al+BOOlg4X60p+2xt/8mvJPggrQECJwRbHy1+E+ob9rOURwva34sC0wC2VwZDQRQGRjXkH1/QpZplhCChdWi3CnJvQOqDVlVbwMKqNSH0qbJ9zKNi8qNInKWtQ+C+7DyPC9A/owIFt5hIJJ6nEH54AU9iGV9Fxmc/NX3xtdHF0cwKMl9udBMM7R3o3lkCPYGi5Al0NU9N/tg2iuGsbW6AD4USi1FteVEjDD5BijNrsaAeh81fZZ2Zz3x1j/UAEvollMM/XsX4CkaXu8kpNTwrgScJxjd9KK7pM1qTbvGm74eEu9KMgo= Number of files that were processed is: 405

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1580	sc.exe
4444	sc.exe
4912	sc.exe
4540	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4688	PING.EXE
240	cmd.exe

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
4416	taskkill.exe
816	taskkill.exe
5108	taskkill.exe
1764	taskkill.exe
340	taskkill.exe
2924	taskkill.exe
3884	taskkill.exe
1880	taskkill.exe
4692	taskkill.exe
4160	taskkill.exe
3940	taskkill.exe
3280	taskkill.exe
2912	taskkill.exe
2028	taskkill.exe
252	taskkill.exe
1608	taskkill.exe
1900	taskkill.exe
996	taskkill.exe
2572	taskkill.exe
3404	taskkill.exe
2064	taskkill.exe
3596	taskkill.exe
1564	taskkill.exe
2992	taskkill.exe
5024	taskkill.exe
5060	taskkill.exe
1884	taskkill.exe
3916	taskkill.exe
1288	taskkill.exe
2180	taskkill.exe
2128	taskkill.exe
4260	taskkill.exe
2016	taskkill.exe
3804	taskkill.exe
1560	taskkill.exe
664	taskkill.exe
1164	taskkill.exe
2168	taskkill.exe
2196	taskkill.exe
4776	taskkill.exe
2372	taskkill.exe
1800	taskkill.exe
892	taskkill.exe
232	taskkill.exe
676	taskkill.exe
2680	taskkill.exe
680	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4252	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4688	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	252	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1884	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4444	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 4772 wrote to memory of 4444	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 4772 wrote to memory of 1580	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 4772 wrote to memory of 1580	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 4772 wrote to memory of 4540	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 4772 wrote to memory of 4540	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 4772 wrote to memory of 4912	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 4772 wrote to memory of 4912	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 4772 wrote to memory of 1560	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 4772 wrote to memory of 1560	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 4772 wrote to memory of 2028	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 4772 wrote to memory of 2028	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 4772 wrote to memory of 2912	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 4772 wrote to memory of 2912	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 4772 wrote to memory of 4160	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 4772 wrote to memory of 4160	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 4772 wrote to memory of 1884	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 4772 wrote to memory of 1884	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 4772 wrote to memory of 2372	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4772 wrote to memory of 2372	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 4772 wrote to memory of 4776	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 4772 wrote to memory of 4776	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 4772 wrote to memory of 3804	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4772 wrote to memory of 3804	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 4772 wrote to memory of 5108	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 4772 wrote to memory of 5108	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 4772 wrote to memory of 2196	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4772 wrote to memory of 2196	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 4772 wrote to memory of 676	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 4772 wrote to memory of 676	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 4772 wrote to memory of 2016	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4772 wrote to memory of 2016	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 4772 wrote to memory of 4260	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 4772 wrote to memory of 4260	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 4772 wrote to memory of 816	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4772 wrote to memory of 816	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 4772 wrote to memory of 3280	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 4772 wrote to memory of 3280	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 4772 wrote to memory of 2064	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4772 wrote to memory of 2064	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 4772 wrote to memory of 3404	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 4772 wrote to memory of 3404	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 4772 wrote to memory of 4692	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4772 wrote to memory of 4692	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 4772 wrote to memory of 3940	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 4772 wrote to memory of 3940	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 4772 wrote to memory of 1880	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 4772 wrote to memory of 1880	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 4772 wrote to memory of 5060	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 4772 wrote to memory of 5060	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 4772 wrote to memory of 5024	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 4772 wrote to memory of 5024	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 4772 wrote to memory of 3884	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 4772 wrote to memory of 3884	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 4772 wrote to memory of 2168	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 4772 wrote to memory of 2168	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 4772 wrote to memory of 2992	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 4772 wrote to memory of 2992	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 4772 wrote to memory of 1564	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 4772 wrote to memory of 1564	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 4772 wrote to memory of 2572	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 4772 wrote to memory of 2572	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 4772 wrote to memory of 2128	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 4772 wrote to memory of 2128	4772	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:4444
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:1580
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4540
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4912
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:5060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4932
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4252
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:240
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4688
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:5892
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
bd60886cd46af7c0897d2f2f9819065e

SHA1
64ad11aa19e9998a0f298b9b143ea96775f88a2a

SHA256
4b7a9384b9c79d4eee0ce82fd9e020dcf1f506189197d8fa7aa9568cf5bea683

SHA512
a62ce37110213a8be614303e43bdca4e4012d69e2fd93831467505fe7c7584acae9e4ad9ca12da22dc9c655b10105db3a9b3e40581bd33884c7f17cd7c1b3a5a

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
a7290c1b34888d96454c124adfc58c1c

SHA1
46330311d4f5e65826ad22be57bdd59693034783

SHA256
bc74b0cbca194626248524e7279ddc1a1fabd993a4918ae1b7bb266310686941

SHA512
1a7dca18d6cd037d4244d77930935e20b41db3d1e7f822a187ec148b7601f3b5f287e49994c847634eb9472bc331bd9f2408567b102258aac80e317646e0a6f9

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
957284c768de55b6fbe979516937f03a

SHA1
56b29141aefff19f4098805d8cc9715b80b2ccd5

SHA256
70577f6570c238502e2926120bd9b2c82034a7fcccfcd84d68b135f74e598436

SHA512
3d0de93d4d18cd30a7622d7cb9128493beef161505c3b697a70db90023822d67f37d80b8b93bc06f63cf8bee1fba8f214f7baf7318e6914593833775a2ea58e0

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
18f7bcdba9899aa3c5a24fc8890cee0d

SHA1
c1a0639bbb685218e0265a69e98ff13889f5d364

SHA256
2f242c827485d3070a0fc555baf823b8bf551aea9e41b4f4933954c9c2fa0159

SHA512
4ace28438dae5f7cf932928f467449a6b8ce499be9cee3824a8c011af8cd806f42343c85bff94b5ea6433be945f8925338e1350eb2e3520021892de1d6be88eb

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
bd338f47a7373ac557d6af54bf9a8894

SHA1
c0a25e6a0d460225dfdd47cac7ad49c6dbd74243

SHA256
063531189270a69878ffd62ea59d8000ae4ce226b5788e0aed430e344fc271d5

SHA512
d58eb5ef859a7ed6a93f0ce170e34a0fb92bce94718ed3d39c46dfedec5a92cb048b4a730cc32925ba8ac33f5e00b2158d05e8e57e1dfbe726c2631302737d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0eikjns.op4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
d2c8a0e8111fb67b7cc796ac4c22f4fe

SHA1
d22d48632f93d95f3f71d0b7b2a7b526dbeb30f1

SHA256
0808d56d4b65970a726bd91af9135ed8ef39ebac2d96a7991bcea820aeb41d35

SHA512
ecd7b4f5b6780424a4e6c884d9a74aa56784e206f1b715bfa1e261346ee6f6808926b594c5fdd69d8d40b237ec3d1cd02cac75a1cc29aef96964018a26df55ed

Download Submit
memory/2316-20-0x000001CC38420000-0x000001CC38442000-memory.dmp

Filesize
136KB

Download
memory/4772-0-0x00007FFE52753000-0x00007FFE52755000-memory.dmp

Filesize
8KB

Download
memory/4772-2-0x00007FFE52750000-0x00007FFE53212000-memory.dmp

Filesize
10.8MB

Download
memory/4772-417-0x00007FFE52753000-0x00007FFE52755000-memory.dmp

Filesize
8KB

Download
memory/4772-478-0x00007FFE52750000-0x00007FFE53212000-memory.dmp

Filesize
10.8MB

Download
memory/4772-1-0x0000000000900000-0x000000000091A000-memory.dmp

Filesize
104KB

Download
memory/4772-559-0x00007FFE52750000-0x00007FFE53212000-memory.dmp

Filesize
10.8MB

Download