Overview
overview
10Static
static
8Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Ryuk
windows7_x64
10Analysis
-
max time kernel
203s -
max time network
299s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-04-2021 11:24
Static task
static1
Behavioral task
behavioral1
Sample
f937b1b7b3593a38702f870077658a891974edda.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f2e040d2c5fea1fb5e9797f7deff0a63.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
e430730620feec3673b9c38d87482c9294421b19.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
de2b5aa6de6f7ff053308084217f7a9b977489027fb103729d6a7d94298c6a6b.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
ac94165d63c75f4adf1728aa2ecb776ac7c1c18e.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
aaf3abc4054f800aaa429c4f2e4b20af.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
7dee29fbeb5af549cb8a68dc47adf9721eb2b726.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
75a3cf8ced873ee7bc415e27e108496b.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
4d74af75deddc969fef5fd89e65fa251.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
45295780f2ba837be42ccf50710bd2b5.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
352b1f3533ded8c575246d4466f68c49.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
2b10ad4890c4d6e2861533cc7260a9fdc7871ea2.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
1dd4a0983a6884dddc3edf27eb5fdfc87664ed63.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
09472e7d9209b7cfc3bbc2e815a2aa843133395b.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
f937b1b7b3593a38702f870077658a891974edda.exe
-
Size
136KB
-
MD5
45295780f2ba837be42ccf50710bd2b5
-
SHA1
f937b1b7b3593a38702f870077658a891974edda
-
SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025
-
SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'spyZ3Hxws'; $torlink = 'http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 1340 ZvOHjgsZzrep.exe 1528 uubDpTsFrlan.exe 420 xphXkObmMlan.exe -
Loads dropped DLL 6 IoCs
pid Process 788 f937b1b7b3593a38702f870077658a891974edda.exe 788 f937b1b7b3593a38702f870077658a891974edda.exe 788 f937b1b7b3593a38702f870077658a891974edda.exe 788 f937b1b7b3593a38702f870077658a891974edda.exe 788 f937b1b7b3593a38702f870077658a891974edda.exe 788 f937b1b7b3593a38702f870077658a891974edda.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 564 icacls.exe 556 icacls.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\N: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\L: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\S: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\R: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\P: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\J: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\H: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\I: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\Z: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\Y: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\X: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\V: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\Q: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\O: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\M: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\G: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\F: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\E: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\U: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\T: f937b1b7b3593a38702f870077658a891974edda.exe File opened (read-only) \??\K: f937b1b7b3593a38702f870077658a891974edda.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11 f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11 f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\RyukReadMe.html f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif f937b1b7b3593a38702f870077658a891974edda.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13 f937b1b7b3593a38702f870077658a891974edda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 788 f937b1b7b3593a38702f870077658a891974edda.exe 788 f937b1b7b3593a38702f870077658a891974edda.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 788 wrote to memory of 1340 788 f937b1b7b3593a38702f870077658a891974edda.exe 29 PID 788 wrote to memory of 1340 788 f937b1b7b3593a38702f870077658a891974edda.exe 29 PID 788 wrote to memory of 1340 788 f937b1b7b3593a38702f870077658a891974edda.exe 29 PID 788 wrote to memory of 1340 788 f937b1b7b3593a38702f870077658a891974edda.exe 29 PID 788 wrote to memory of 1528 788 f937b1b7b3593a38702f870077658a891974edda.exe 30 PID 788 wrote to memory of 1528 788 f937b1b7b3593a38702f870077658a891974edda.exe 30 PID 788 wrote to memory of 1528 788 f937b1b7b3593a38702f870077658a891974edda.exe 30 PID 788 wrote to memory of 1528 788 f937b1b7b3593a38702f870077658a891974edda.exe 30 PID 788 wrote to memory of 420 788 f937b1b7b3593a38702f870077658a891974edda.exe 31 PID 788 wrote to memory of 420 788 f937b1b7b3593a38702f870077658a891974edda.exe 31 PID 788 wrote to memory of 420 788 f937b1b7b3593a38702f870077658a891974edda.exe 31 PID 788 wrote to memory of 420 788 f937b1b7b3593a38702f870077658a891974edda.exe 31 PID 788 wrote to memory of 564 788 f937b1b7b3593a38702f870077658a891974edda.exe 32 PID 788 wrote to memory of 564 788 f937b1b7b3593a38702f870077658a891974edda.exe 32 PID 788 wrote to memory of 564 788 f937b1b7b3593a38702f870077658a891974edda.exe 32 PID 788 wrote to memory of 564 788 f937b1b7b3593a38702f870077658a891974edda.exe 32 PID 788 wrote to memory of 556 788 f937b1b7b3593a38702f870077658a891974edda.exe 34 PID 788 wrote to memory of 556 788 f937b1b7b3593a38702f870077658a891974edda.exe 34 PID 788 wrote to memory of 556 788 f937b1b7b3593a38702f870077658a891974edda.exe 34 PID 788 wrote to memory of 556 788 f937b1b7b3593a38702f870077658a891974edda.exe 34 PID 788 wrote to memory of 2996 788 f937b1b7b3593a38702f870077658a891974edda.exe 36 PID 788 wrote to memory of 2996 788 f937b1b7b3593a38702f870077658a891974edda.exe 36 PID 788 wrote to memory of 2996 788 f937b1b7b3593a38702f870077658a891974edda.exe 36 PID 788 wrote to memory of 2996 788 f937b1b7b3593a38702f870077658a891974edda.exe 36 PID 788 wrote to memory of 1628 788 f937b1b7b3593a38702f870077658a891974edda.exe 39 PID 788 wrote to memory of 1628 788 f937b1b7b3593a38702f870077658a891974edda.exe 39 PID 788 wrote to memory of 1628 788 f937b1b7b3593a38702f870077658a891974edda.exe 39 PID 788 wrote to memory of 1628 788 f937b1b7b3593a38702f870077658a891974edda.exe 39 PID 2996 wrote to memory of 1804 2996 net.exe 40 PID 2996 wrote to memory of 1804 2996 net.exe 40 PID 2996 wrote to memory of 1804 2996 net.exe 40 PID 2996 wrote to memory of 1804 2996 net.exe 40 PID 1628 wrote to memory of 1868 1628 net.exe 45 PID 1628 wrote to memory of 1868 1628 net.exe 45 PID 1628 wrote to memory of 1868 1628 net.exe 45 PID 1628 wrote to memory of 1868 1628 net.exe 45 PID 788 wrote to memory of 1960 788 f937b1b7b3593a38702f870077658a891974edda.exe 44 PID 788 wrote to memory of 1960 788 f937b1b7b3593a38702f870077658a891974edda.exe 44 PID 788 wrote to memory of 1960 788 f937b1b7b3593a38702f870077658a891974edda.exe 44 PID 788 wrote to memory of 1960 788 f937b1b7b3593a38702f870077658a891974edda.exe 44 PID 788 wrote to memory of 1200 788 f937b1b7b3593a38702f870077658a891974edda.exe 43 PID 788 wrote to memory of 1200 788 f937b1b7b3593a38702f870077658a891974edda.exe 43 PID 788 wrote to memory of 1200 788 f937b1b7b3593a38702f870077658a891974edda.exe 43 PID 788 wrote to memory of 1200 788 f937b1b7b3593a38702f870077658a891974edda.exe 43 PID 1960 wrote to memory of 2672 1960 net.exe 46 PID 1960 wrote to memory of 2672 1960 net.exe 46 PID 1960 wrote to memory of 2672 1960 net.exe 46 PID 1960 wrote to memory of 2672 1960 net.exe 46 PID 1200 wrote to memory of 2556 1200 net.exe 47 PID 1200 wrote to memory of 2556 1200 net.exe 47 PID 1200 wrote to memory of 2556 1200 net.exe 47 PID 1200 wrote to memory of 2556 1200 net.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\f937b1b7b3593a38702f870077658a891974edda.exe"C:\Users\Admin\AppData\Local\Temp\f937b1b7b3593a38702f870077658a891974edda.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\ZvOHjgsZzrep.exe"C:\Users\Admin\AppData\Local\Temp\ZvOHjgsZzrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\uubDpTsFrlan.exe"C:\Users\Admin\AppData\Local\Temp\uubDpTsFrlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\xphXkObmMlan.exe"C:\Users\Admin\AppData\Local\Temp\xphXkObmMlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:420
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:564
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:556
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1804
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1868
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2556
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2672
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:2296
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3252
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:1708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3284
-
-