Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
301s -
max time network
75s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22/04/2021, 09:34
Static task
static1
Behavioral task
behavioral1
Sample
parsimonious-stage.exe
Resource
win7v20210408
General
-
Target
parsimonious-stage.exe
-
Size
123KB
-
MD5
bbcc8fa58b88f33072443389a790295a
-
SHA1
8d72096b46e5fcf5489826e510ffc19aa2007aaa
-
SHA256
97fc2de5893ec046b4c12520a7fca2afe25254f0959dcd39796da90336f3c1ad
-
SHA512
cd9ac7f25517fd5d96d84e37087d198aeb02dd32ff7034349c65c91ec9c01693f7ed23b141829d1f5846814d9618c82fae5fd0fe8ed82476d618b04acf79a296
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 568 iEYVwulLNrep.exe 1644 vckEeIVRplan.exe 2624 KhParraPAlan.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RegisterRead.png.RYK parsimonious-stage.exe File opened for modification C:\Users\Admin\Pictures\MountSwitch.raw.RYK parsimonious-stage.exe File opened for modification C:\Users\Admin\Pictures\PushRedo.png.RYK parsimonious-stage.exe File opened for modification C:\Users\Admin\Pictures\ResizeComplete.crw.RYK parsimonious-stage.exe File opened for modification C:\Users\Admin\Pictures\UninstallBlock.crw.RYK parsimonious-stage.exe -
Loads dropped DLL 16 IoCs
pid Process 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 2892 MsiExec.exe 2892 MsiExec.exe 2892 MsiExec.exe 2892 MsiExec.exe 2892 MsiExec.exe 2892 MsiExec.exe 2892 MsiExec.exe 2964 msiexec.exe 2964 msiexec.exe 4140 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2696 icacls.exe 2708 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI parsimonious-stage.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif parsimonious-stage.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF parsimonious-stage.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.RYK parsimonious-stage.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299125.WMF parsimonious-stage.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Creston.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui parsimonious-stage.exe File opened for modification C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf.RYK parsimonious-stage.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG parsimonious-stage.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXT parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPEQU532.DLL parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\RyukReadMe.html parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF parsimonious-stage.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\RyukReadMe.html parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml parsimonious-stage.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\RyukReadMe.html parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.HXS parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\RyukReadMe.html parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip.RYK parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar parsimonious-stage.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\SETUP.XML.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM.RYK parsimonious-stage.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00546_.WMF.RYK parsimonious-stage.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Installer\f76053e.mst msiexec.exe File opened for modification C:\Windows\Installer\f76053e.mst msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI167F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI257F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC50.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI12F5.tmp msiexec.exe File created C:\Windows\Installer\f760540.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2744.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI282F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f760540.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1E0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI28EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C46.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6828 SCHTASKS.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb edit \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "\"%1\"" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\ShellEx\IconHandler msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler\ = "{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler msiexec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 2964 msiexec.exe 2964 msiexec.exe 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe 2964 msiexec.exe 1832 parsimonious-stage.exe 1832 parsimonious-stage.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeSecurityPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 568 1832 parsimonious-stage.exe 29 PID 1832 wrote to memory of 568 1832 parsimonious-stage.exe 29 PID 1832 wrote to memory of 568 1832 parsimonious-stage.exe 29 PID 1832 wrote to memory of 568 1832 parsimonious-stage.exe 29 PID 1832 wrote to memory of 1644 1832 parsimonious-stage.exe 30 PID 1832 wrote to memory of 1644 1832 parsimonious-stage.exe 30 PID 1832 wrote to memory of 1644 1832 parsimonious-stage.exe 30 PID 1832 wrote to memory of 1644 1832 parsimonious-stage.exe 30 PID 1832 wrote to memory of 2624 1832 parsimonious-stage.exe 31 PID 1832 wrote to memory of 2624 1832 parsimonious-stage.exe 31 PID 1832 wrote to memory of 2624 1832 parsimonious-stage.exe 31 PID 1832 wrote to memory of 2624 1832 parsimonious-stage.exe 31 PID 1832 wrote to memory of 2696 1832 parsimonious-stage.exe 32 PID 1832 wrote to memory of 2696 1832 parsimonious-stage.exe 32 PID 1832 wrote to memory of 2696 1832 parsimonious-stage.exe 32 PID 1832 wrote to memory of 2696 1832 parsimonious-stage.exe 32 PID 1832 wrote to memory of 2708 1832 parsimonious-stage.exe 33 PID 1832 wrote to memory of 2708 1832 parsimonious-stage.exe 33 PID 1832 wrote to memory of 2708 1832 parsimonious-stage.exe 33 PID 1832 wrote to memory of 2708 1832 parsimonious-stage.exe 33 PID 1832 wrote to memory of 3280 1832 parsimonious-stage.exe 36 PID 1832 wrote to memory of 3280 1832 parsimonious-stage.exe 36 PID 1832 wrote to memory of 3280 1832 parsimonious-stage.exe 36 PID 1832 wrote to memory of 3280 1832 parsimonious-stage.exe 36 PID 1832 wrote to memory of 3320 1832 parsimonious-stage.exe 39 PID 1832 wrote to memory of 3320 1832 parsimonious-stage.exe 39 PID 1832 wrote to memory of 3320 1832 parsimonious-stage.exe 39 PID 1832 wrote to memory of 3320 1832 parsimonious-stage.exe 39 PID 3280 wrote to memory of 3328 3280 net.exe 38 PID 3280 wrote to memory of 3328 3280 net.exe 38 PID 3280 wrote to memory of 3328 3280 net.exe 38 PID 3280 wrote to memory of 3328 3280 net.exe 38 PID 1832 wrote to memory of 3396 1832 parsimonious-stage.exe 41 PID 1832 wrote to memory of 3396 1832 parsimonious-stage.exe 41 PID 1832 wrote to memory of 3396 1832 parsimonious-stage.exe 41 PID 1832 wrote to memory of 3396 1832 parsimonious-stage.exe 41 PID 3320 wrote to memory of 3792 3320 net.exe 43 PID 3320 wrote to memory of 3792 3320 net.exe 43 PID 3320 wrote to memory of 3792 3320 net.exe 43 PID 3320 wrote to memory of 3792 3320 net.exe 43 PID 3396 wrote to memory of 3824 3396 net.exe 44 PID 3396 wrote to memory of 3824 3396 net.exe 44 PID 3396 wrote to memory of 3824 3396 net.exe 44 PID 3396 wrote to memory of 3824 3396 net.exe 44 PID 1832 wrote to memory of 3232 1832 parsimonious-stage.exe 45 PID 1832 wrote to memory of 3232 1832 parsimonious-stage.exe 45 PID 1832 wrote to memory of 3232 1832 parsimonious-stage.exe 45 PID 1832 wrote to memory of 3232 1832 parsimonious-stage.exe 45 PID 3232 wrote to memory of 1056 3232 net.exe 47 PID 3232 wrote to memory of 1056 3232 net.exe 47 PID 3232 wrote to memory of 1056 3232 net.exe 47 PID 3232 wrote to memory of 1056 3232 net.exe 47 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 2892 2964 msiexec.exe 50 PID 2964 wrote to memory of 4140 2964 msiexec.exe 51 PID 2964 wrote to memory of 4140 2964 msiexec.exe 51 PID 2964 wrote to memory of 4140 2964 msiexec.exe 51 PID 2964 wrote to memory of 4140 2964 msiexec.exe 51 PID 2964 wrote to memory of 4140 2964 msiexec.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\parsimonious-stage.exe"C:\Users\Admin\AppData\Local\Temp\parsimonious-stage.exe"1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\iEYVwulLNrep.exe"C:\Users\Admin\AppData\Local\Temp\iEYVwulLNrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\vckEeIVRplan.exe"C:\Users\Admin\AppData\Local\Temp\vckEeIVRplan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\KhParraPAlan.exe"C:\Users\Admin\AppData\Local\Temp\KhParraPAlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2696
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2708
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:3328
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3792
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:3824
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1056
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:6752
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7548
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:7668
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:7872
-
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /CREATE /NP /SC DAILY /TN "PrintRS" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\KXV6V.dll" /ST 10:25 /SD 04/23/2021 /ED 04/30/20212⤵
- Creates scheduled task(s)
PID:6828
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8876
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8892
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8920
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CA015DDFC20D953F37DB6D076A7B2462⤵
- Loads dropped DLL
PID:2892
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5D0E4D66F952E1864E858500339D17AD2⤵
- Loads dropped DLL
PID:4140
-