ryuk | 703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f

Analysis

max time kernel
139s
max time network
124s
platform
windows10_x64
resource
win10v20210408
submitted
10/07/2021, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
Size

117KB
MD5

31db87c5d3b970b42cb577611f851c7a
SHA1

8cc6a1f94514033ad8b15c3c4c720fb0eac249f1
SHA256

703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f
SHA512

d00d566f7385accd173669c9f8f6868626287e0ed4a6a08b174af9f6d054b70aed3babfa91450caa085134a2e75db42802a9cc11790c923ece3a4042d161be4a

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'PrWUilDMFi'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
184	yaIwclcEYrep.exe
644	cIuYPRKTRlan.exe
4472	GUcmEQqhTlan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4524	icacls.exe
4536	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de.gif	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\AppStore_icon.svg	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\RyukReadMe.html	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 184	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	78
PID 804 wrote to memory of 184	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	78
PID 804 wrote to memory of 184	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	78
PID 804 wrote to memory of 644	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	79
PID 804 wrote to memory of 644	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	79
PID 804 wrote to memory of 644	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	79
PID 804 wrote to memory of 4472	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	80
PID 804 wrote to memory of 4472	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	80
PID 804 wrote to memory of 4472	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	80
PID 804 wrote to memory of 4524	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	81
PID 804 wrote to memory of 4524	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	81
PID 804 wrote to memory of 4524	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	81
PID 804 wrote to memory of 4536	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	82
PID 804 wrote to memory of 4536	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	82
PID 804 wrote to memory of 4536	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	82
PID 804 wrote to memory of 4680	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	86
PID 804 wrote to memory of 4680	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	86
PID 804 wrote to memory of 4680	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	86
PID 804 wrote to memory of 5084	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	85
PID 804 wrote to memory of 5084	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	85
PID 804 wrote to memory of 5084	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	85
PID 804 wrote to memory of 4560	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	90
PID 804 wrote to memory of 4560	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	90
PID 804 wrote to memory of 4560	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	90
PID 804 wrote to memory of 5108	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	89
PID 804 wrote to memory of 5108	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	89
PID 804 wrote to memory of 5108	804	703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe	89
PID 5084 wrote to memory of 1156	5084	net.exe	93
PID 5084 wrote to memory of 1156	5084	net.exe	93
PID 5084 wrote to memory of 1156	5084	net.exe	93
PID 4680 wrote to memory of 4608	4680	net.exe	94
PID 4680 wrote to memory of 4608	4680	net.exe	94
PID 4680 wrote to memory of 4608	4680	net.exe	94
PID 5108 wrote to memory of 4632	5108	net.exe	96
PID 5108 wrote to memory of 4632	5108	net.exe	96
PID 5108 wrote to memory of 4632	5108	net.exe	96
PID 4560 wrote to memory of 5020	4560	net.exe	95
PID 4560 wrote to memory of 5020	4560	net.exe	95
PID 4560 wrote to memory of 5020	4560	net.exe	95

C:\Users\Admin\AppData\Local\Temp\703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe
"C:\Users\Admin\AppData\Local\Temp\703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\yaIwclcEYrep.exe
  "C:\Users\Admin\AppData\Local\Temp\yaIwclcEYrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Users\Admin\AppData\Local\Temp\cIuYPRKTRlan.exe
  "C:\Users\Admin\AppData\Local\Temp\cIuYPRKTRlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Users\Admin\AppData\Local\Temp\GUcmEQqhTlan.exe
  "C:\Users\Admin\AppData\Local\Temp\GUcmEQqhTlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4524
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4536
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1156
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4632
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...