ryuk | 6d2518918e5c6e5738338e1acebbdac572308585f39a3c61f82825c539e9c5e2

Analysis

max time kernel
145s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
30-03-2021 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
2160	OPGpaUFrurep.exe
560	LgaTTgoCklan.exe
4812	DyPYEqIQClan.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3788	icacls.exe
3624	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_unselected_18.svg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2160	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	78
PID 4764 wrote to memory of 2160	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	78
PID 4764 wrote to memory of 2160	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	78
PID 4764 wrote to memory of 560	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	79
PID 4764 wrote to memory of 560	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	79
PID 4764 wrote to memory of 560	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	79
PID 4764 wrote to memory of 4812	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	80
PID 4764 wrote to memory of 4812	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	80
PID 4764 wrote to memory of 4812	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	80
PID 4764 wrote to memory of 3788	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	81
PID 4764 wrote to memory of 3788	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	81
PID 4764 wrote to memory of 3788	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	81
PID 4764 wrote to memory of 3624	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	82
PID 4764 wrote to memory of 3624	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	82
PID 4764 wrote to memory of 3624	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	82
PID 4764 wrote to memory of 4788	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	85
PID 4764 wrote to memory of 4788	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	85
PID 4764 wrote to memory of 4788	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	85
PID 4764 wrote to memory of 4924	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	88
PID 4764 wrote to memory of 4924	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	88
PID 4764 wrote to memory of 4924	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	88
PID 4764 wrote to memory of 4856	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	87
PID 4764 wrote to memory of 4856	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	87
PID 4764 wrote to memory of 4856	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	87
PID 4764 wrote to memory of 5024	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	91
PID 4764 wrote to memory of 5024	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	91
PID 4764 wrote to memory of 5024	4764	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	91
PID 5024 wrote to memory of 5036	5024	net.exe	96
PID 5024 wrote to memory of 5036	5024	net.exe	96
PID 5024 wrote to memory of 5036	5024	net.exe	96
PID 4788 wrote to memory of 2416	4788	net.exe	95
PID 4788 wrote to memory of 2416	4788	net.exe	95
PID 4788 wrote to memory of 2416	4788	net.exe	95
PID 4924 wrote to memory of 4248	4924	net.exe	93
PID 4856 wrote to memory of 3816	4856	net.exe	94
PID 4924 wrote to memory of 4248	4924	net.exe	93
PID 4856 wrote to memory of 3816	4856	net.exe	94
PID 4924 wrote to memory of 4248	4924	net.exe	93
PID 4856 wrote to memory of 3816	4856	net.exe	94

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\OPGpaUFrurep.exe
  "C:\Users\Admin\AppData\Local\Temp\OPGpaUFrurep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\LgaTTgoCklan.exe
  "C:\Users\Admin\AppData\Local\Temp\LgaTTgoCklan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Users\Admin\AppData\Local\Temp\DyPYEqIQClan.exe
  "C:\Users\Admin\AppData\Local\Temp\DyPYEqIQClan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3788
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2416
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3816
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4248
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4764-13-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/4764-12-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download