ryuk | 42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662

Analysis

max time kernel
90s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
07-03-2021 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rudZqlH.exe
Size

254KB
MD5

4540720d38ed99bceeb97161ca1ff401
SHA1

5714dfd839db561ebcb3cccfcb6f0e39ef644f7b
SHA256

4a87552c4238cdcf1b8611da467164e609da339ff897c50ad4d04aa105ec55bb
SHA512

2be902451da4262ed9899ecd570e12f31516f4d937909ee8e99f2c5dfcdbd7a218cc4eda494357678067ccc58a674944d08150248707a96e7d64ff01b83f0dbf

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2040	JZJPCuO.exe

Loads dropped DLL 2 IoCs

pid	Process
288	rudZqlH.exe
288	rudZqlH.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1476	icacls.exe
1340	icacls.exe
1364	icacls.exe
1072	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rudZqlH.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JZJPCuO.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF	rudZqlH.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01772_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF	rudZqlH.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	rudZqlH.exe
File opened for modification	C:\Program Files\MSBuild\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21330_.GIF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielResume.Dotx	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	rudZqlH.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	rudZqlH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo	rudZqlH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignright.gif	rudZqlH.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01140_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143745.GIF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099151.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	rudZqlH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_K_COL.HXK	rudZqlH.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.ELM	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232797.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151055.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10266_.GIF	rudZqlH.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF	rudZqlH.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF	rudZqlH.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png	rudZqlH.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\RyukReadMe.html	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00530_.WMF	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS98.POC	rudZqlH.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	rudZqlH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1412	vssadmin.exe
1752	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
288	rudZqlH.exe
288	rudZqlH.exe
2040	JZJPCuO.exe
288	rudZqlH.exe
288	rudZqlH.exe
2040	JZJPCuO.exe
288	rudZqlH.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	288	rudZqlH.exe
Token: SeBackupPrivilege	2040	JZJPCuO.exe
Token: SeBackupPrivilege	288	rudZqlH.exe
Token: SeBackupPrivilege	1964	vssvc.exe
Token: SeRestorePrivilege	1964	vssvc.exe
Token: SeAuditPrivilege	1964	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 2040	288	rudZqlH.exe	26
PID 288 wrote to memory of 2040	288	rudZqlH.exe	26
PID 288 wrote to memory of 2040	288	rudZqlH.exe	26
PID 288 wrote to memory of 2040	288	rudZqlH.exe	26
PID 288 wrote to memory of 1144	288	rudZqlH.exe	14
PID 288 wrote to memory of 1120	288	rudZqlH.exe	27
PID 288 wrote to memory of 1120	288	rudZqlH.exe	27
PID 288 wrote to memory of 1120	288	rudZqlH.exe	27
PID 288 wrote to memory of 1120	288	rudZqlH.exe	27
PID 1120 wrote to memory of 1760	1120	net.exe	29
PID 1120 wrote to memory of 1760	1120	net.exe	29
PID 1120 wrote to memory of 1760	1120	net.exe	29
PID 1120 wrote to memory of 1760	1120	net.exe	29
PID 288 wrote to memory of 1192	288	rudZqlH.exe	13
PID 288 wrote to memory of 1764	288	rudZqlH.exe	30
PID 288 wrote to memory of 1764	288	rudZqlH.exe	30
PID 288 wrote to memory of 1764	288	rudZqlH.exe	30
PID 288 wrote to memory of 1764	288	rudZqlH.exe	30
PID 1764 wrote to memory of 1160	1764	net.exe	32
PID 1764 wrote to memory of 1160	1764	net.exe	32
PID 1764 wrote to memory of 1160	1764	net.exe	32
PID 1764 wrote to memory of 1160	1764	net.exe	32
PID 2040 wrote to memory of 1072	2040	JZJPCuO.exe	36
PID 2040 wrote to memory of 1072	2040	JZJPCuO.exe	36
PID 2040 wrote to memory of 1072	2040	JZJPCuO.exe	36
PID 2040 wrote to memory of 1072	2040	JZJPCuO.exe	36
PID 2040 wrote to memory of 1476	2040	JZJPCuO.exe	37
PID 2040 wrote to memory of 1476	2040	JZJPCuO.exe	37
PID 2040 wrote to memory of 1476	2040	JZJPCuO.exe	37
PID 2040 wrote to memory of 1476	2040	JZJPCuO.exe	37
PID 2040 wrote to memory of 316	2040	JZJPCuO.exe	40
PID 2040 wrote to memory of 316	2040	JZJPCuO.exe	40
PID 2040 wrote to memory of 316	2040	JZJPCuO.exe	40
PID 2040 wrote to memory of 316	2040	JZJPCuO.exe	40
PID 2040 wrote to memory of 1412	2040	JZJPCuO.exe	41
PID 2040 wrote to memory of 1412	2040	JZJPCuO.exe	41
PID 2040 wrote to memory of 1412	2040	JZJPCuO.exe	41
PID 2040 wrote to memory of 1412	2040	JZJPCuO.exe	41
PID 316 wrote to memory of 1600	316	cmd.exe	45
PID 316 wrote to memory of 1600	316	cmd.exe	45
PID 316 wrote to memory of 1600	316	cmd.exe	45
PID 316 wrote to memory of 1600	316	cmd.exe	45
PID 2040 wrote to memory of 2016	2040	JZJPCuO.exe	44
PID 2040 wrote to memory of 2016	2040	JZJPCuO.exe	44
PID 2040 wrote to memory of 2016	2040	JZJPCuO.exe	44
PID 2040 wrote to memory of 2016	2040	JZJPCuO.exe	44
PID 2016 wrote to memory of 1776	2016	net.exe	48
PID 2016 wrote to memory of 1776	2016	net.exe	48
PID 2016 wrote to memory of 1776	2016	net.exe	48
PID 2016 wrote to memory of 1776	2016	net.exe	48
PID 288 wrote to memory of 1340	288	rudZqlH.exe	50
PID 288 wrote to memory of 1340	288	rudZqlH.exe	50
PID 288 wrote to memory of 1340	288	rudZqlH.exe	50
PID 288 wrote to memory of 1340	288	rudZqlH.exe	50
PID 288 wrote to memory of 1364	288	rudZqlH.exe	64
PID 288 wrote to memory of 1364	288	rudZqlH.exe	64
PID 288 wrote to memory of 1364	288	rudZqlH.exe	64
PID 288 wrote to memory of 1364	288	rudZqlH.exe	64
PID 288 wrote to memory of 560	288	rudZqlH.exe	54
PID 288 wrote to memory of 560	288	rudZqlH.exe	54
PID 288 wrote to memory of 560	288	rudZqlH.exe	54
PID 288 wrote to memory of 560	288	rudZqlH.exe	54
PID 288 wrote to memory of 1752	288	rudZqlH.exe	55
PID 288 wrote to memory of 1752	288	rudZqlH.exe	55

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe
"C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288
- C:\Users\Admin\AppData\Local\Temp\JZJPCuO.exe
  "C:\Users\Admin\AppData\Local\Temp\JZJPCuO.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1600
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1412
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JZJPCuO.exe" /f /reg:64
    3⤵
    PID:31692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JZJPCuO.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:31720
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:41136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:41164
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:83752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:83812
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1160
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1340
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:560
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe" /f /reg:64
  2⤵
  PID:672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rudZqlH.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1364
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:37872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:38048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:41180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:41328
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:83692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:83720
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:83744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:83792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-8-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download
memory/288-20-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download
memory/288-9-0x0000000002BF0000-0x0000000002C01000-memory.dmp

Filesize
68KB

Download
memory/288-38-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download
memory/288-10-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/288-11-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/288-3-0x0000000076C21000-0x0000000076C23000-memory.dmp

Filesize
8KB

Download
memory/288-2-0x0000000001C70000-0x0000000001C81000-memory.dmp

Filesize
68KB

Download
memory/2040-31-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/2040-30-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/2040-14-0x0000000001C80000-0x0000000001C91000-memory.dmp

Filesize
68KB

Download