ryuk | 4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3

Analysis

max time kernel
300s
max time network
291s
platform
windows10_x64
resource
win10v20210408
submitted
04-07-2021 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ff457Rk.bin.exe.bin.exe
Size

304KB
MD5

5ecae137bf33ecbb981f3b637b06efc5
SHA1

371e01949b1c7316164021e38d624ffbcba3090a
SHA256

4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3
SHA512

753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'yxFS7vMc'; $torlink = 'http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
1200	1073r.exe
1540	zbcRDXBUMlan.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InitializeFormat.tiff.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreMove.png.RYK	35ff457Rk.bin.exe.bin.exe
File renamed	C:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeFormat.tiff	35ff457Rk.bin.exe.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.RYK	35ff457Rk.bin.exe.bin.exe
File renamed	C:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ImportSync.png.RYK	35ff457Rk.bin.exe.bin.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	35ff457Rk.bin.exe.bin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\X:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\Q:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\I:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\H:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\J:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\Y:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\W:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\V:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\R:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\P:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\N:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\M:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\E:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\O:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\L:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\U:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\T:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\S:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\K:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\G:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\F:	35ff457Rk.bin.exe.bin.exe
File opened (read-only)	\??\B:	35ff457Rk.bin.exe.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-nodes.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado26.tlb	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\core.jar.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\ui-strings.js.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\RyukReadMe.html	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.RYK	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	35ff457Rk.bin.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js	35ff457Rk.bin.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3920	35ff457Rk.bin.exe.bin.exe
3920	35ff457Rk.bin.exe.bin.exe
3920	35ff457Rk.bin.exe.bin.exe
3920	35ff457Rk.bin.exe.bin.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3920	35ff457Rk.bin.exe.bin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3936	svchost.exe
Token: SeTcbPrivilege	3936	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1200	3920	35ff457Rk.bin.exe.bin.exe	79
PID 3920 wrote to memory of 1200	3920	35ff457Rk.bin.exe.bin.exe	79
PID 3920 wrote to memory of 1200	3920	35ff457Rk.bin.exe.bin.exe	79
PID 3920 wrote to memory of 1540	3920	35ff457Rk.bin.exe.bin.exe	80
PID 3920 wrote to memory of 1540	3920	35ff457Rk.bin.exe.bin.exe	80
PID 3920 wrote to memory of 1540	3920	35ff457Rk.bin.exe.bin.exe	80
PID 3920 wrote to memory of 2352	3920	35ff457Rk.bin.exe.bin.exe	81
PID 3920 wrote to memory of 2352	3920	35ff457Rk.bin.exe.bin.exe	81
PID 3920 wrote to memory of 2352	3920	35ff457Rk.bin.exe.bin.exe	81
PID 3920 wrote to memory of 2504	3920	35ff457Rk.bin.exe.bin.exe	82
PID 3920 wrote to memory of 2504	3920	35ff457Rk.bin.exe.bin.exe	82
PID 3920 wrote to memory of 2504	3920	35ff457Rk.bin.exe.bin.exe	82
PID 3920 wrote to memory of 2308	3920	35ff457Rk.bin.exe.bin.exe	85
PID 3920 wrote to memory of 2308	3920	35ff457Rk.bin.exe.bin.exe	85
PID 3920 wrote to memory of 2308	3920	35ff457Rk.bin.exe.bin.exe	85
PID 3920 wrote to memory of 3604	3920	35ff457Rk.bin.exe.bin.exe	86
PID 3920 wrote to memory of 3604	3920	35ff457Rk.bin.exe.bin.exe	86
PID 3920 wrote to memory of 3604	3920	35ff457Rk.bin.exe.bin.exe	86
PID 3920 wrote to memory of 2780	3920	35ff457Rk.bin.exe.bin.exe	90
PID 3920 wrote to memory of 2780	3920	35ff457Rk.bin.exe.bin.exe	90
PID 3920 wrote to memory of 2780	3920	35ff457Rk.bin.exe.bin.exe	90
PID 3920 wrote to memory of 2652	3920	35ff457Rk.bin.exe.bin.exe	89
PID 3920 wrote to memory of 2652	3920	35ff457Rk.bin.exe.bin.exe	89
PID 3920 wrote to memory of 2652	3920	35ff457Rk.bin.exe.bin.exe	89
PID 2352 wrote to memory of 1644	2352	net.exe	96
PID 2352 wrote to memory of 1644	2352	net.exe	96
PID 2352 wrote to memory of 1644	2352	net.exe	96
PID 2308 wrote to memory of 1104	2308	net.exe	95
PID 2308 wrote to memory of 1104	2308	net.exe	95
PID 2308 wrote to memory of 1104	2308	net.exe	95
PID 2652 wrote to memory of 3488	2652	net.exe	94
PID 2652 wrote to memory of 3488	2652	net.exe	94
PID 2652 wrote to memory of 3488	2652	net.exe	94
PID 3604 wrote to memory of 2136	3604	net.exe	93
PID 3604 wrote to memory of 2136	3604	net.exe	93
PID 3604 wrote to memory of 2136	3604	net.exe	93
PID 2780 wrote to memory of 2252	2780	net.exe	98
PID 2780 wrote to memory of 2252	2780	net.exe	98
PID 2780 wrote to memory of 2252	2780	net.exe	98
PID 2504 wrote to memory of 1260	2504	net.exe	97
PID 2504 wrote to memory of 1260	2504	net.exe	97
PID 2504 wrote to memory of 1260	2504	net.exe	97

C:\Users\Admin\AppData\Local\Temp\35ff457Rk.bin.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\35ff457Rk.bin.exe.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\zbcRDXBUMlan.exe
  "C:\Users\Admin\AppData\Local\Temp\zbcRDXBUMlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1260
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:3488
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:2252

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-122-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/1200-123-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1540-124-0x00000000004E0000-0x0000000000506000-memory.dmp

Filesize
152KB

Download
memory/1540-125-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3920-115-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3920-114-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download