ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
145s
max time network
105s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Size

544KB
MD5

526fa2ecb5f8fee6aec4b5d7713d909a
SHA1

51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
SHA256

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
SHA512

f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1240	KxeyqHoQsrep.exe
1356	sfIBponbalan.exe
1596	xdcuKVrqrlan.exe

Loads dropped DLL 3 IoCs

pid	Process
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2676	icacls.exe
2664	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06102_.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.ELM	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee100.tlb	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	29
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	29
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	29
PID 1684 wrote to memory of 1240	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	29
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 1684 wrote to memory of 1356	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 1684 wrote to memory of 1596	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 1684 wrote to memory of 2664	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 1684 wrote to memory of 2676	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 1684 wrote to memory of 3960	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 3960 wrote to memory of 2984	3960	net.exe	38
PID 3960 wrote to memory of 2984	3960	net.exe	38
PID 3960 wrote to memory of 2984	3960	net.exe	38
PID 3960 wrote to memory of 2984	3960	net.exe	38
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	39
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	39
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	39
PID 1684 wrote to memory of 2852	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	39
PID 2852 wrote to memory of 1692	2852	net.exe	41
PID 2852 wrote to memory of 1692	2852	net.exe	41
PID 2852 wrote to memory of 1692	2852	net.exe	41
PID 2852 wrote to memory of 1692	2852	net.exe	41
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 1684 wrote to memory of 2708	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 2708 wrote to memory of 3848	2708	net.exe	45
PID 2708 wrote to memory of 3848	2708	net.exe	45
PID 2708 wrote to memory of 3848	2708	net.exe	45
PID 2708 wrote to memory of 3848	2708	net.exe	45
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	44
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	44
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	44
PID 1684 wrote to memory of 3764	1684	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	44
PID 3764 wrote to memory of 3932	3764	net.exe	47
PID 3764 wrote to memory of 3932	3764	net.exe	47
PID 3764 wrote to memory of 3932	3764	net.exe	47
PID 3764 wrote to memory of 3932	3764	net.exe	47

C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
"C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\KxeyqHoQsrep.exe
  "C:\Users\Admin\AppData\Local\Temp\KxeyqHoQsrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\sfIBponbalan.exe
  "C:\Users\Admin\AppData\Local\Temp\sfIBponbalan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\xdcuKVrqrlan.exe
  "C:\Users\Admin\AppData\Local\Temp\xdcuKVrqrlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2664
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2984
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3848
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1684-3-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1684-4-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1684-16-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download