ryuk | a30398ce3dc4fd04ddacb9408a136bc848e3a88ea98a486a93f4e7dc9650b218

Analysis

max time kernel
90s
max time network
17s
platform
windows7_x64
resource
win7v20201028
submitted
07/03/2021, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

860e50.bin.exe
Size

196KB
MD5

484a2bcb1335ac97ee91194f4c0964bc
SHA1

ad11ed52ab33ad05eb9b1e9ade134ca1348acc81
SHA256

40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
SHA512

6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2008	daLYleD.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	860e50.bin.exe
1096	860e50.bin.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
524	icacls.exe
960	icacls.exe
388	icacls.exe
648	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\daLYleD.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\860e50.bin.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF	860e50.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	860e50.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	860e50.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF	860e50.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	860e50.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml	860e50.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html	860e50.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd	860e50.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02368_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU	860e50.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo	860e50.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg	860e50.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	860e50.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\RyukReadMe.html	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152606.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF	860e50.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	860e50.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1056	vssadmin.exe
1964	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1096	860e50.bin.exe
1096	860e50.bin.exe
2008	daLYleD.exe
1096	860e50.bin.exe
1096	860e50.bin.exe
2008	daLYleD.exe
1096	860e50.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	860e50.bin.exe
Token: SeBackupPrivilege	2008	daLYleD.exe
Token: SeBackupPrivilege	1096	860e50.bin.exe
Token: SeBackupPrivilege	1424	vssvc.exe
Token: SeRestorePrivilege	1424	vssvc.exe
Token: SeAuditPrivilege	1424	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1916	WMIC.exe
Token: SeSecurityPrivilege	1916	WMIC.exe
Token: SeTakeOwnershipPrivilege	1916	WMIC.exe
Token: SeLoadDriverPrivilege	1916	WMIC.exe
Token: SeSystemProfilePrivilege	1916	WMIC.exe
Token: SeSystemtimePrivilege	1916	WMIC.exe
Token: SeProfSingleProcessPrivilege	1916	WMIC.exe
Token: SeIncBasePriorityPrivilege	1916	WMIC.exe
Token: SeCreatePagefilePrivilege	1916	WMIC.exe
Token: SeBackupPrivilege	1916	WMIC.exe
Token: SeRestorePrivilege	1916	WMIC.exe
Token: SeShutdownPrivilege	1916	WMIC.exe
Token: SeDebugPrivilege	1916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1916	WMIC.exe
Token: SeRemoteShutdownPrivilege	1916	WMIC.exe
Token: SeUndockPrivilege	1916	WMIC.exe
Token: SeManageVolumePrivilege	1916	WMIC.exe
Token: 33	1916	WMIC.exe
Token: 34	1916	WMIC.exe
Token: 35	1916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1916	WMIC.exe
Token: SeSecurityPrivilege	1916	WMIC.exe
Token: SeTakeOwnershipPrivilege	1916	WMIC.exe
Token: SeLoadDriverPrivilege	1916	WMIC.exe
Token: SeSystemProfilePrivilege	1916	WMIC.exe
Token: SeSystemtimePrivilege	1916	WMIC.exe
Token: SeProfSingleProcessPrivilege	1916	WMIC.exe
Token: SeIncBasePriorityPrivilege	1916	WMIC.exe
Token: SeCreatePagefilePrivilege	1916	WMIC.exe
Token: SeBackupPrivilege	1916	WMIC.exe
Token: SeRestorePrivilege	1916	WMIC.exe
Token: SeShutdownPrivilege	1916	WMIC.exe
Token: SeDebugPrivilege	1916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1916	WMIC.exe
Token: SeRemoteShutdownPrivilege	1916	WMIC.exe
Token: SeUndockPrivilege	1916	WMIC.exe
Token: SeManageVolumePrivilege	1916	WMIC.exe
Token: 33	1916	WMIC.exe
Token: 34	1916	WMIC.exe
Token: 35	1916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2008	1096	860e50.bin.exe	26
PID 1096 wrote to memory of 2008	1096	860e50.bin.exe	26
PID 1096 wrote to memory of 2008	1096	860e50.bin.exe	26
PID 1096 wrote to memory of 2008	1096	860e50.bin.exe	26
PID 1096 wrote to memory of 1116	1096	860e50.bin.exe	15
PID 1096 wrote to memory of 2036	1096	860e50.bin.exe	27
PID 1096 wrote to memory of 2036	1096	860e50.bin.exe	27
PID 1096 wrote to memory of 2036	1096	860e50.bin.exe	27
PID 1096 wrote to memory of 2036	1096	860e50.bin.exe	27
PID 2036 wrote to memory of 1964	2036	net.exe	29
PID 2036 wrote to memory of 1964	2036	net.exe	29
PID 2036 wrote to memory of 1964	2036	net.exe	29
PID 2036 wrote to memory of 1964	2036	net.exe	29
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	30
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	30
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	30
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	30
PID 1096 wrote to memory of 1176	1096	860e50.bin.exe	14
PID 524 wrote to memory of 732	524	net.exe	32
PID 524 wrote to memory of 732	524	net.exe	32
PID 524 wrote to memory of 732	524	net.exe	32
PID 524 wrote to memory of 732	524	net.exe	32
PID 2008 wrote to memory of 388	2008	daLYleD.exe	36
PID 2008 wrote to memory of 388	2008	daLYleD.exe	36
PID 2008 wrote to memory of 388	2008	daLYleD.exe	36
PID 2008 wrote to memory of 388	2008	daLYleD.exe	36
PID 2008 wrote to memory of 648	2008	daLYleD.exe	37
PID 2008 wrote to memory of 648	2008	daLYleD.exe	37
PID 2008 wrote to memory of 648	2008	daLYleD.exe	37
PID 2008 wrote to memory of 648	2008	daLYleD.exe	37
PID 2008 wrote to memory of 1616	2008	daLYleD.exe	40
PID 2008 wrote to memory of 1616	2008	daLYleD.exe	40
PID 2008 wrote to memory of 1616	2008	daLYleD.exe	40
PID 2008 wrote to memory of 1616	2008	daLYleD.exe	40
PID 2008 wrote to memory of 1056	2008	daLYleD.exe	42
PID 2008 wrote to memory of 1056	2008	daLYleD.exe	42
PID 2008 wrote to memory of 1056	2008	daLYleD.exe	42
PID 2008 wrote to memory of 1056	2008	daLYleD.exe	42
PID 1616 wrote to memory of 1916	1616	cmd.exe	44
PID 1616 wrote to memory of 1916	1616	cmd.exe	44
PID 1616 wrote to memory of 1916	1616	cmd.exe	44
PID 1616 wrote to memory of 1916	1616	cmd.exe	44
PID 2008 wrote to memory of 1584	2008	daLYleD.exe	45
PID 2008 wrote to memory of 1584	2008	daLYleD.exe	45
PID 2008 wrote to memory of 1584	2008	daLYleD.exe	45
PID 2008 wrote to memory of 1584	2008	daLYleD.exe	45
PID 1584 wrote to memory of 1596	1584	net.exe	47
PID 1584 wrote to memory of 1596	1584	net.exe	47
PID 1584 wrote to memory of 1596	1584	net.exe	47
PID 1584 wrote to memory of 1596	1584	net.exe	47
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	49
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	49
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	49
PID 1096 wrote to memory of 524	1096	860e50.bin.exe	49
PID 1096 wrote to memory of 960	1096	860e50.bin.exe	52
PID 1096 wrote to memory of 960	1096	860e50.bin.exe	52
PID 1096 wrote to memory of 960	1096	860e50.bin.exe	52
PID 1096 wrote to memory of 960	1096	860e50.bin.exe	52
PID 1096 wrote to memory of 1244	1096	860e50.bin.exe	54
PID 1096 wrote to memory of 1244	1096	860e50.bin.exe	54
PID 1096 wrote to memory of 1244	1096	860e50.bin.exe	54
PID 1096 wrote to memory of 1244	1096	860e50.bin.exe	54
PID 1096 wrote to memory of 1964	1096	860e50.bin.exe	55
PID 1096 wrote to memory of 1964	1096	860e50.bin.exe	55

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe
"C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\daLYleD.exe
  "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:388
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1916
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1056
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" /f /reg:64
    3⤵
    PID:28076
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\daLYleD.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:28380
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:37300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:37340
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:65348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:65376
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1964
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:732
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:524
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe" /f /reg:64
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.bin.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:34800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34924
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:37440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:37540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:54708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:55312
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:67084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:68596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-2-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/1096-29-0x00000000027C0000-0x00000000027D1000-memory.dmp

Filesize
68KB

Download
memory/1096-14-0x00000000027C0000-0x00000000027D1000-memory.dmp

Filesize
68KB

Download
memory/1096-7-0x00000000027C0000-0x00000000027D1000-memory.dmp

Filesize
68KB

Download
memory/1096-9-0x0000000002BD0000-0x0000000002BE1000-memory.dmp

Filesize
68KB

Download
memory/2008-24-0x0000000001F90000-0x0000000001FA1000-memory.dmp

Filesize
68KB

Download
memory/2008-25-0x00000000023A0000-0x00000000023B1000-memory.dmp

Filesize
68KB

Download