ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
152s
max time network
96s
platform
windows7_x64
resource
win7v20201028
submitted
29-03-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Size

124KB
MD5

b16db2ad22dfe39c289f9ebd9ef4c493
SHA1

23ccb60927905eb9be2a9ee4230ebac0836b611c
SHA256

0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892
SHA512

5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'CRAny5Nq'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1724	ezKOrmiEirep.exe
1676	FNtSvwiqNlan.exe
2580	NmIiZIXsAlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2656	icacls.exe
2668	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00853_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105530.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00459_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.ELM	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152876.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\ResumeRequest.tif	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00105_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcor.dll.mui	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Martinique	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jre7\lib\resources.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\RyukReadMe.html	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	29
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	29
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	29
PID 1852 wrote to memory of 1724	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	29
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	30
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	30
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	30
PID 1852 wrote to memory of 1676	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	30
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	31
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	31
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	31
PID 1852 wrote to memory of 2580	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	31
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	32
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	32
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	32
PID 1852 wrote to memory of 2656	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	32
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	33
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	33
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	33
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	33
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	36
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	36
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	36
PID 1852 wrote to memory of 1928	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	36
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	37
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	37
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	37
PID 1852 wrote to memory of 1108	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	37
PID 1108 wrote to memory of 3044	1108	net.exe	40
PID 1108 wrote to memory of 3044	1108	net.exe	40
PID 1108 wrote to memory of 3044	1108	net.exe	40
PID 1108 wrote to memory of 3044	1108	net.exe	40
PID 1928 wrote to memory of 2984	1928	net.exe	41
PID 1928 wrote to memory of 2984	1928	net.exe	41
PID 1928 wrote to memory of 2984	1928	net.exe	41
PID 1928 wrote to memory of 2984	1928	net.exe	41
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	42
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	42
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	42
PID 1852 wrote to memory of 2668	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	42
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	43
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	43
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	43
PID 1852 wrote to memory of 2764	1852	0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe	43
PID 2668 wrote to memory of 2804	2668	net.exe	46
PID 2668 wrote to memory of 2804	2668	net.exe	46
PID 2668 wrote to memory of 2804	2668	net.exe	46
PID 2668 wrote to memory of 2804	2668	net.exe	46
PID 2764 wrote to memory of 2968	2764	net.exe	47
PID 2764 wrote to memory of 2968	2764	net.exe	47
PID 2764 wrote to memory of 2968	2764	net.exe	47
PID 2764 wrote to memory of 2968	2764	net.exe	47

C:\Users\Admin\AppData\Local\Temp\0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
"C:\Users\Admin\AppData\Local\Temp\0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe
  "C:\Users\Admin\AppData\Local\Temp\ezKOrmiEirep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe
  "C:\Users\Admin\AppData\Local\Temp\FNtSvwiqNlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe
  "C:\Users\Admin\AppData\Local\Temp\NmIiZIXsAlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2656
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2984
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3044
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1852-2-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download