ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
151s
max time network
102s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Size

200KB
MD5

ad3a5956dc4e8fd6a62671a6204d11b9
SHA1

aac34bd5c2f8e63dca20034f24384c2ce1d641b5
SHA256

3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca
SHA512

23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nO49CJnf9vO'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1656	yWYtpLDZgrep.exe
2024	JSgvXAElzlan.exe
976	stEIUmceTlan.exe

Loads dropped DLL 6 IoCs

pid	Process
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2716	icacls.exe
2728	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\J:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\T:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\R:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\U:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\N:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\I:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\Y:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\V:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\S:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\Q:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\M:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\G:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\F:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\E:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\X:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\W:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\O:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\L:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\H:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\Z:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened (read-only)	\??\P:	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152590.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\PREVIEW.GIF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107364.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105230.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\RyukReadMe.html	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1656	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	29
PID 2028 wrote to memory of 1656	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	29
PID 2028 wrote to memory of 1656	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	29
PID 2028 wrote to memory of 1656	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	29
PID 2028 wrote to memory of 2024	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	30
PID 2028 wrote to memory of 2024	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	30
PID 2028 wrote to memory of 2024	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	30
PID 2028 wrote to memory of 2024	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	30
PID 2028 wrote to memory of 976	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	31
PID 2028 wrote to memory of 976	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	31
PID 2028 wrote to memory of 976	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	31
PID 2028 wrote to memory of 976	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	31
PID 2028 wrote to memory of 2716	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	32
PID 2028 wrote to memory of 2716	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	32
PID 2028 wrote to memory of 2716	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	32
PID 2028 wrote to memory of 2716	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	32
PID 2028 wrote to memory of 2728	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	33
PID 2028 wrote to memory of 2728	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	33
PID 2028 wrote to memory of 2728	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	33
PID 2028 wrote to memory of 2728	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	33
PID 2028 wrote to memory of 3392	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	37
PID 2028 wrote to memory of 3392	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	37
PID 2028 wrote to memory of 3392	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	37
PID 2028 wrote to memory of 3392	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	37
PID 2028 wrote to memory of 3304	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	38
PID 2028 wrote to memory of 3304	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	38
PID 2028 wrote to memory of 3304	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	38
PID 2028 wrote to memory of 3304	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	38
PID 3392 wrote to memory of 3672	3392	net.exe	41
PID 3392 wrote to memory of 3672	3392	net.exe	41
PID 3392 wrote to memory of 3672	3392	net.exe	41
PID 3392 wrote to memory of 3672	3392	net.exe	41
PID 3304 wrote to memory of 2816	3304	net.exe	42
PID 3304 wrote to memory of 2816	3304	net.exe	42
PID 3304 wrote to memory of 2816	3304	net.exe	42
PID 3304 wrote to memory of 2816	3304	net.exe	42
PID 2028 wrote to memory of 3008	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	43
PID 2028 wrote to memory of 3008	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	43
PID 2028 wrote to memory of 3008	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	43
PID 2028 wrote to memory of 3008	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	43
PID 3008 wrote to memory of 3340	3008	net.exe	45
PID 3008 wrote to memory of 3340	3008	net.exe	45
PID 3008 wrote to memory of 3340	3008	net.exe	45
PID 3008 wrote to memory of 3340	3008	net.exe	45
PID 2028 wrote to memory of 3596	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	46
PID 2028 wrote to memory of 3596	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	46
PID 2028 wrote to memory of 3596	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	46
PID 2028 wrote to memory of 3596	2028	3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe	46
PID 3596 wrote to memory of 3608	3596	net.exe	48
PID 3596 wrote to memory of 3608	3596	net.exe	48
PID 3596 wrote to memory of 3608	3596	net.exe	48
PID 3596 wrote to memory of 3608	3596	net.exe	48

C:\Users\Admin\AppData\Local\Temp\3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
"C:\Users\Admin\AppData\Local\Temp\3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\yWYtpLDZgrep.exe
  "C:\Users\Admin\AppData\Local\Temp\yWYtpLDZgrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\JSgvXAElzlan.exe
  "C:\Users\Admin\AppData\Local\Temp\JSgvXAElzlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\stEIUmceTlan.exe
  "C:\Users\Admin\AppData\Local\Temp\stEIUmceTlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2716
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3672
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2816
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3340
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-27-0x0000000001C40000-0x0000000001C51000-memory.dmp

Filesize
68KB

Download
memory/1656-10-0x0000000001F00000-0x0000000001F11000-memory.dmp

Filesize
68KB

Download
memory/2024-18-0x0000000001E30000-0x0000000001E41000-memory.dmp

Filesize
68KB

Download
memory/2028-3-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/2028-2-0x0000000001CF0000-0x0000000001D01000-memory.dmp

Filesize
68KB

Download
memory/2028-5-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/2028-4-0x0000000035000000-0x0000000035028000-memory.dmp

Filesize
160KB

Download