ryuk | 51ec1631a41116543155d62343c319cc18fbc96ff69d13486628059c8996082d

Analysis

max time kernel
150s
max time network
104s
platform
windows10_x64
resource
win10v20201028
submitted
22-02-2021 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
Size

314KB
MD5

89e60fff097ebf9b27bc8aa9b1564da0
SHA1

9a1755bcfb3496290333f33b1b0b738016b868bf
SHA256

2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79
SHA512

a471d4ad11bb4fdb2adcf988a133a53a7b3b536681f421e1c13047bbfeeacfef3a232689de215a8bf81e55515c5cf92081e0b41893c56712bf328aae67de8055

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
696	gfjBpTZeArep.exe
3764	TSQvCjNHplan.exe
3860	WUzBpTDuzlan.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4528	icacls.exe
4540	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluError_136x136.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-nodes.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_unselected_18.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INF	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\playstore.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\ui-strings.js	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 696	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	78
PID 648 wrote to memory of 696	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	78
PID 648 wrote to memory of 696	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	78
PID 648 wrote to memory of 3764	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	79
PID 648 wrote to memory of 3764	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	79
PID 648 wrote to memory of 3764	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	79
PID 648 wrote to memory of 3860	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	80
PID 648 wrote to memory of 3860	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	80
PID 648 wrote to memory of 3860	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	80
PID 648 wrote to memory of 4528	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	81
PID 648 wrote to memory of 4528	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	81
PID 648 wrote to memory of 4528	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	81
PID 648 wrote to memory of 4540	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	82
PID 648 wrote to memory of 4540	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	82
PID 648 wrote to memory of 4540	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	82
PID 648 wrote to memory of 4900	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	86
PID 648 wrote to memory of 4900	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	86
PID 648 wrote to memory of 4900	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	86
PID 648 wrote to memory of 3092	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	85
PID 648 wrote to memory of 3092	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	85
PID 648 wrote to memory of 3092	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	85
PID 648 wrote to memory of 5000	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	90
PID 648 wrote to memory of 5000	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	90
PID 648 wrote to memory of 5000	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	90
PID 648 wrote to memory of 820	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	89
PID 648 wrote to memory of 820	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	89
PID 648 wrote to memory of 820	648	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	89
PID 4900 wrote to memory of 5088	4900	net.exe	93
PID 4900 wrote to memory of 5088	4900	net.exe	93
PID 4900 wrote to memory of 5088	4900	net.exe	93
PID 3092 wrote to memory of 4704	3092	net.exe	94
PID 3092 wrote to memory of 4704	3092	net.exe	94
PID 3092 wrote to memory of 4704	3092	net.exe	94
PID 820 wrote to memory of 5068	820	net.exe	96
PID 820 wrote to memory of 5068	820	net.exe	96
PID 820 wrote to memory of 5068	820	net.exe	96
PID 5000 wrote to memory of 4612	5000	net.exe	95
PID 5000 wrote to memory of 4612	5000	net.exe	95
PID 5000 wrote to memory of 4612	5000	net.exe	95

C:\Users\Admin\AppData\Local\Temp\2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
"C:\Users\Admin\AppData\Local\Temp\2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\gfjBpTZeArep.exe
  "C:\Users\Admin\AppData\Local\Temp\gfjBpTZeArep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Users\Admin\AppData\Local\Temp\TSQvCjNHplan.exe
  "C:\Users\Admin\AppData\Local\Temp\TSQvCjNHplan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\WUzBpTDuzlan.exe
  "C:\Users\Admin\AppData\Local\Temp\WUzBpTDuzlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4528
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4704
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/648-3-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/648-21-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/648-20-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download