ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
118s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Size

544KB
MD5

526fa2ecb5f8fee6aec4b5d7713d909a
SHA1

51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
SHA256

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
SHA512

f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
4188	fHRutcoQprep.exe
3992	tQpPURvkulan.exe
2108	eAjtbsRcklan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2152	icacls.exe
4920	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main.css	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4188	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	78
PID 4704 wrote to memory of 4188	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	78
PID 4704 wrote to memory of 4188	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	78
PID 4704 wrote to memory of 3992	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	79
PID 4704 wrote to memory of 3992	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	79
PID 4704 wrote to memory of 3992	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	79
PID 4704 wrote to memory of 2108	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	80
PID 4704 wrote to memory of 2108	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	80
PID 4704 wrote to memory of 2108	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	80
PID 4704 wrote to memory of 2152	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	81
PID 4704 wrote to memory of 2152	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	81
PID 4704 wrote to memory of 2152	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	81
PID 4704 wrote to memory of 4920	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	82
PID 4704 wrote to memory of 4920	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	82
PID 4704 wrote to memory of 4920	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	82
PID 4704 wrote to memory of 3776	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	85
PID 4704 wrote to memory of 4984	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	86
PID 4704 wrote to memory of 3776	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	85
PID 4704 wrote to memory of 4984	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	86
PID 4704 wrote to memory of 3776	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	85
PID 4704 wrote to memory of 4984	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	86
PID 4704 wrote to memory of 480	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	92
PID 4704 wrote to memory of 480	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	92
PID 4704 wrote to memory of 480	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	92
PID 4704 wrote to memory of 3876	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	89
PID 4704 wrote to memory of 3876	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	89
PID 4704 wrote to memory of 3876	4704	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	89
PID 480 wrote to memory of 4340	480	net.exe	96
PID 480 wrote to memory of 4340	480	net.exe	96
PID 480 wrote to memory of 4340	480	net.exe	96
PID 3776 wrote to memory of 4820	3776	net.exe	95
PID 3776 wrote to memory of 4820	3776	net.exe	95
PID 3776 wrote to memory of 4820	3776	net.exe	95
PID 4984 wrote to memory of 4312	4984	net.exe	93
PID 4984 wrote to memory of 4312	4984	net.exe	93
PID 4984 wrote to memory of 4312	4984	net.exe	93
PID 3876 wrote to memory of 3444	3876	net.exe	94
PID 3876 wrote to memory of 3444	3876	net.exe	94
PID 3876 wrote to memory of 3444	3876	net.exe	94

C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
"C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\fHRutcoQprep.exe
  "C:\Users\Admin\AppData\Local\Temp\fHRutcoQprep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\tQpPURvkulan.exe
  "C:\Users\Admin\AppData\Local\Temp\tQpPURvkulan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Users\Admin\AppData\Local\Temp\eAjtbsRcklan.exe
  "C:\Users\Admin\AppData\Local\Temp\eAjtbsRcklan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2152
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4820
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4312
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3444
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4704-3-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/4704-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4704-17-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4704-18-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download