ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
150s
max time network
106s
platform
windows7_x64
resource
win7v20201028
submitted
29/03/2021, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Size

121KB
MD5

7364f6222ac58896e8920f32e4d30aac
SHA1

915fd6fb4e20909025f876f3bb453ec52e21b7be
SHA256

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
SHA512

f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
896	GmrJSbwEyrep.exe
1592	rCOwRUKMflan.exe
752	uvNCLEXMelan.exe

Loads dropped DLL 6 IoCs

pid	Process
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2640	icacls.exe
2628	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\adovbs.inc	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSSOAP30.DLL	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1108 wrote to memory of 896	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1108 wrote to memory of 1592	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1108 wrote to memory of 752	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1108 wrote to memory of 2628	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1108 wrote to memory of 2640	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1108 wrote to memory of 3144	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 3144 wrote to memory of 2872	3144	net.exe	41
PID 3144 wrote to memory of 2872	3144	net.exe	41
PID 3144 wrote to memory of 2872	3144	net.exe	41
PID 3144 wrote to memory of 2872	3144	net.exe	41
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	39
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	39
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	39
PID 1108 wrote to memory of 2816	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	39
PID 2816 wrote to memory of 3452	2816	net.exe	42
PID 2816 wrote to memory of 3452	2816	net.exe	42
PID 2816 wrote to memory of 3452	2816	net.exe	42
PID 2816 wrote to memory of 3452	2816	net.exe	42
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	43
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	43
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	43
PID 1108 wrote to memory of 3956	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	43
PID 3956 wrote to memory of 3896	3956	net.exe	45
PID 3956 wrote to memory of 3896	3956	net.exe	45
PID 3956 wrote to memory of 3896	3956	net.exe	45
PID 3956 wrote to memory of 3896	3956	net.exe	45
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	46
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	46
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	46
PID 1108 wrote to memory of 3972	1108	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	46
PID 3972 wrote to memory of 3704	3972	net.exe	48
PID 3972 wrote to memory of 3704	3972	net.exe	48
PID 3972 wrote to memory of 3704	3972	net.exe	48
PID 3972 wrote to memory of 3704	3972	net.exe	48

C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
"C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe
  "C:\Users\Admin\AppData\Local\Temp\GmrJSbwEyrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe
  "C:\Users\Admin\AppData\Local\Temp\rCOwRUKMflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe
  "C:\Users\Admin\AppData\Local\Temp\uvNCLEXMelan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2628
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2640
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download