ryuk | 8b94e0c9693aa1bd89eb828a8b61fdf8ca2398b8e92dcf91d509cdb888285223

Analysis

max time kernel
147s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
29/03/2021, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Size

468KB
MD5

9296a9b81bfe119bd786a6f5a8ad43ad
SHA1

581cf7c453358cd94ceed70088470c32a7307c8e
SHA256

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591
SHA512

64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
3836	YOQPLLlEcrep.exe
1584	mHniydKdWlan.exe
2720	HgIgzeloLlan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4540	icacls.exe
4552	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxUnselected.svg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\trdtv2r41.xsl	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_cancel_18.svg	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\RyukReadMe.html	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3836	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	78
PID 880 wrote to memory of 3836	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	78
PID 880 wrote to memory of 3836	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	78
PID 880 wrote to memory of 1584	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	80
PID 880 wrote to memory of 1584	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	80
PID 880 wrote to memory of 1584	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	80
PID 880 wrote to memory of 2720	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	81
PID 880 wrote to memory of 2720	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	81
PID 880 wrote to memory of 2720	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	81
PID 880 wrote to memory of 4540	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	82
PID 880 wrote to memory of 4540	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	82
PID 880 wrote to memory of 4540	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	82
PID 880 wrote to memory of 4552	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	83
PID 880 wrote to memory of 4552	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	83
PID 880 wrote to memory of 4552	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	83
PID 880 wrote to memory of 5108	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	86
PID 880 wrote to memory of 5108	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	86
PID 880 wrote to memory of 5108	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	86
PID 880 wrote to memory of 4712	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	87
PID 880 wrote to memory of 4712	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	87
PID 880 wrote to memory of 4712	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	87
PID 880 wrote to memory of 4060	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	90
PID 880 wrote to memory of 4060	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	90
PID 880 wrote to memory of 4060	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	90
PID 880 wrote to memory of 2416	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	92
PID 880 wrote to memory of 2416	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	92
PID 880 wrote to memory of 2416	880	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	92
PID 4712 wrote to memory of 5016	4712	net.exe	94
PID 4712 wrote to memory of 5016	4712	net.exe	94
PID 4712 wrote to memory of 5016	4712	net.exe	94
PID 4060 wrote to memory of 4972	4060	net.exe	96
PID 4060 wrote to memory of 4972	4060	net.exe	96
PID 4060 wrote to memory of 4972	4060	net.exe	96
PID 5108 wrote to memory of 4724	5108	net.exe	95
PID 5108 wrote to memory of 4724	5108	net.exe	95
PID 5108 wrote to memory of 4724	5108	net.exe	95
PID 2416 wrote to memory of 4648	2416	net.exe	97
PID 2416 wrote to memory of 4648	2416	net.exe	97
PID 2416 wrote to memory of 4648	2416	net.exe	97

C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
"C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\YOQPLLlEcrep.exe
  "C:\Users\Admin\AppData\Local\Temp\YOQPLLlEcrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Users\Admin\AppData\Local\Temp\mHniydKdWlan.exe
  "C:\Users\Admin\AppData\Local\Temp\mHniydKdWlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\HgIgzeloLlan.exe
  "C:\Users\Admin\AppData\Local\Temp\HgIgzeloLlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4540
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4972
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-20-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/880-3-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/880-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/880-21-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download