ryuk | 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8

Analysis

max time kernel
149s
max time network
47s
platform
windows7_x64
resource
win7v20210408
submitted
10-07-2021 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
Size

116KB
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Loads dropped DLL 10 IoCs

pid	Process
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1560	MsiExec.exe
1972	msiexec.exe
1972	msiexec.exe
2144	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1780	icacls.exe
1704	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115855.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bogota	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPISHELLR.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI288.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID93F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC17.tmp	msiexec.exe
File created	C:\Windows\Installer\f75d4fd.ipi	msiexec.exe
File created	C:\Windows\Installer\f75d4fb.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f75d4fb.mst	msiexec.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	msiexec.exe
1972	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeSecurityPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	29
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	29
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	29
PID 1240 wrote to memory of 1780	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	29
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	30
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	30
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	30
PID 1240 wrote to memory of 1704	1240	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	30
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 1560	1972	msiexec.exe	35
PID 1972 wrote to memory of 2144	1972	msiexec.exe	36
PID 1972 wrote to memory of 2144	1972	msiexec.exe	36
PID 1972 wrote to memory of 2144	1972	msiexec.exe	36
PID 1972 wrote to memory of 2144	1972	msiexec.exe	36
PID 1972 wrote to memory of 2144	1972	msiexec.exe	36

C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
"C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1780
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1F85638DC96AA29E1A74D125F0332B2
  2⤵
  - Loads dropped DLL
  PID:1560
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 85E90F771554D0D0435E7881BB03FCF1
  2⤵
  - Loads dropped DLL
  PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1972-127-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download