ryuk | 2b23e704cfd8d62a359ef0325bfd4aaef5249cf6567ab8eceb88395978e3291a

Analysis

max time kernel
150s
max time network
86s
platform
windows7_x64
resource
win7v20201028
submitted
30-03-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
Size

836KB
MD5

c5cd1f0fe551a0ce5678a7c9d86e6450
SHA1

f584c89c1539520f280efd9bcd4cb3da37588979
SHA256

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894
SHA512

40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'DQlMnNo'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

resource	yara_rule
behavioral1/memory/1576-5-0x00000000002D0000-0x00000000002F1000-memory.dmp	dave

Executes dropped EXE 3 IoCs

pid	Process
1344	EZHzUZtjrrep.exe
1584	jktuzTIDXlan.exe
2636	whoSOqeoulan.exe

Loads dropped DLL 6 IoCs

pid	Process
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2728	icacls.exe
2716	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVTEL.DIC	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222015.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLNOTE.FAE	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00544_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.DAT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\jsdbgui.dll.mui	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_OFF.GIF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
1344	EZHzUZtjrrep.exe
1344	EZHzUZtjrrep.exe
1584	jktuzTIDXlan.exe
1584	jktuzTIDXlan.exe
2636	whoSOqeoulan.exe
2636	whoSOqeoulan.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	29
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	29
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	29
PID 1576 wrote to memory of 1344	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	29
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	30
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	30
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	30
PID 1576 wrote to memory of 1584	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	30
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	31
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	31
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	31
PID 1576 wrote to memory of 2636	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	31
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	32
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	32
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	32
PID 1576 wrote to memory of 2716	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	32
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	33
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	33
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	33
PID 1576 wrote to memory of 2728	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	33
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	37
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	37
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	37
PID 1576 wrote to memory of 3364	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	37
PID 3364 wrote to memory of 3400	3364	net.exe	41
PID 3364 wrote to memory of 3400	3364	net.exe	41
PID 3364 wrote to memory of 3400	3364	net.exe	41
PID 3364 wrote to memory of 3400	3364	net.exe	41
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	40
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	40
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	40
PID 1576 wrote to memory of 3412	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	40
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	39
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	39
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	39
PID 1576 wrote to memory of 3424	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	39
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	42
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	42
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	42
PID 1576 wrote to memory of 3496	1576	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	42
PID 3424 wrote to memory of 3508	3424	net.exe	47
PID 3424 wrote to memory of 3508	3424	net.exe	47
PID 3424 wrote to memory of 3508	3424	net.exe	47
PID 3424 wrote to memory of 3508	3424	net.exe	47
PID 3412 wrote to memory of 3528	3412	net.exe	46
PID 3412 wrote to memory of 3528	3412	net.exe	46
PID 3412 wrote to memory of 3528	3412	net.exe	46
PID 3412 wrote to memory of 3528	3412	net.exe	46
PID 3496 wrote to memory of 3564	3496	net.exe	45
PID 3496 wrote to memory of 3564	3496	net.exe	45
PID 3496 wrote to memory of 3564	3496	net.exe	45
PID 3496 wrote to memory of 3564	3496	net.exe	45

C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
"C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe
  "C:\Users\Admin\AppData\Local\Temp\EZHzUZtjrrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe
  "C:\Users\Admin\AppData\Local\Temp\jktuzTIDXlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe
  "C:\Users\Admin\AppData\Local\Temp\whoSOqeoulan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2636
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2716
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3400
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-12-0x0000000000680000-0x00000000006A4000-memory.dmp

Filesize
144KB

Download
memory/1576-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1576-3-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1576-2-0x0000000075A41000-0x0000000075A43000-memory.dmp

Filesize
8KB

Download
memory/1576-5-0x00000000002D0000-0x00000000002F1000-memory.dmp

Filesize
132KB

Download
memory/1584-21-0x0000000002050000-0x0000000002074000-memory.dmp

Filesize
144KB

Download
memory/2636-30-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download