ryuk | 2b23e704cfd8d62a359ef0325bfd4aaef5249cf6567ab8eceb88395978e3291a

Analysis

max time kernel
144s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
30-03-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
Size

836KB
MD5

c5cd1f0fe551a0ce5678a7c9d86e6450
SHA1

f584c89c1539520f280efd9bcd4cb3da37588979
SHA256

e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894
SHA512

40f9578b711e41cd166b24b8aa0bfb6dee01a8e4a46eb54591e61d97cfc5a83dc58fb4256dc05f756274cda65ad5d680f9e370ad0c825861fd7080e5da5fd2e4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'DQlMnNo'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

resource	yara_rule
behavioral2/memory/496-4-0x00000000022D0000-0x00000000022F1000-memory.dmp	dave

Executes dropped EXE 3 IoCs

pid	Process
2384	jPKOSSRMprep.exe
2620	FfSjcDQAYlan.exe
4476	feYuzNglflan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4552	icacls.exe
4564	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELM	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nextarrow_default.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_en_135x40.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\ui-strings.js	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.INF	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close.png	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\RyukReadMe.html	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
2384	jPKOSSRMprep.exe
2384	jPKOSSRMprep.exe
2620	FfSjcDQAYlan.exe
2620	FfSjcDQAYlan.exe
4476	feYuzNglflan.exe
4476	feYuzNglflan.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 2384	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	79
PID 496 wrote to memory of 2384	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	79
PID 496 wrote to memory of 2384	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	79
PID 496 wrote to memory of 2620	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	80
PID 496 wrote to memory of 2620	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	80
PID 496 wrote to memory of 2620	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	80
PID 496 wrote to memory of 4476	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	81
PID 496 wrote to memory of 4476	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	81
PID 496 wrote to memory of 4476	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	81
PID 496 wrote to memory of 4552	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	82
PID 496 wrote to memory of 4552	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	82
PID 496 wrote to memory of 4552	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	82
PID 496 wrote to memory of 4564	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	83
PID 496 wrote to memory of 4564	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	83
PID 496 wrote to memory of 4564	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	83
PID 496 wrote to memory of 4608	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	89
PID 496 wrote to memory of 4608	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	89
PID 496 wrote to memory of 4608	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	89
PID 496 wrote to memory of 5096	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	86
PID 496 wrote to memory of 5096	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	86
PID 496 wrote to memory of 5096	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	86
PID 496 wrote to memory of 2480	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	91
PID 496 wrote to memory of 2480	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	91
PID 496 wrote to memory of 2480	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	91
PID 496 wrote to memory of 1064	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	90
PID 496 wrote to memory of 1064	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	90
PID 496 wrote to memory of 1064	496	e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe	90
PID 1064 wrote to memory of 4956	1064	net.exe	96
PID 4608 wrote to memory of 4644	4608	net.exe	97
PID 1064 wrote to memory of 4956	1064	net.exe	96
PID 4608 wrote to memory of 4644	4608	net.exe	97
PID 1064 wrote to memory of 4956	1064	net.exe	96
PID 4608 wrote to memory of 4644	4608	net.exe	97
PID 2480 wrote to memory of 5060	2480	net.exe	95
PID 2480 wrote to memory of 5060	2480	net.exe	95
PID 2480 wrote to memory of 5060	2480	net.exe	95
PID 5096 wrote to memory of 4824	5096	net.exe	94
PID 5096 wrote to memory of 4824	5096	net.exe	94
PID 5096 wrote to memory of 4824	5096	net.exe	94

C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe
"C:\Users\Admin\AppData\Local\Temp\e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Local\Temp\jPKOSSRMprep.exe
  "C:\Users\Admin\AppData\Local\Temp\jPKOSSRMprep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\FfSjcDQAYlan.exe
  "C:\Users\Admin\AppData\Local\Temp\FfSjcDQAYlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\feYuzNglflan.exe
  "C:\Users\Admin\AppData\Local\Temp\feYuzNglflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4476
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4552
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4956
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-28-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/496-4-0x00000000022D0000-0x00000000022F1000-memory.dmp

Filesize
132KB

Download
memory/496-3-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/496-2-0x0000000002500000-0x0000000002524000-memory.dmp

Filesize
144KB

Download
memory/496-27-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x00000000020A0000-0x00000000020C4000-memory.dmp

Filesize
144KB

Download
memory/2620-16-0x00000000007B0000-0x00000000007D4000-memory.dmp

Filesize
144KB

Download
memory/4476-23-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download