ryuk | 23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

Analysis

max time kernel
153s
max time network
139s
platform
windows7_x64
resource
win7v20210408
submitted
10/07/2021, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Size

121KB
MD5

7364f6222ac58896e8920f32e4d30aac
SHA1

915fd6fb4e20909025f876f3bb453ec52e21b7be
SHA256

23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
SHA512

f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1624	thsAdXTlXrep.exe
1628	JUKtPzQxKlan.exe
2656	YXyhSrmaXlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2708	icacls.exe
2720	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\InvokeRedo.midi	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recife	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\RyukReadMe.html	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1624	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1848 wrote to memory of 1624	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1848 wrote to memory of 1624	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1848 wrote to memory of 1624	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	29
PID 1848 wrote to memory of 1628	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1848 wrote to memory of 1628	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1848 wrote to memory of 1628	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1848 wrote to memory of 1628	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	30
PID 1848 wrote to memory of 2656	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1848 wrote to memory of 2656	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1848 wrote to memory of 2656	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1848 wrote to memory of 2656	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	31
PID 1848 wrote to memory of 2708	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1848 wrote to memory of 2708	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1848 wrote to memory of 2708	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1848 wrote to memory of 2708	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	32
PID 1848 wrote to memory of 2720	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1848 wrote to memory of 2720	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1848 wrote to memory of 2720	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1848 wrote to memory of 2720	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	33
PID 1848 wrote to memory of 2904	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1848 wrote to memory of 2904	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1848 wrote to memory of 2904	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1848 wrote to memory of 2904	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	37
PID 1848 wrote to memory of 2940	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	36
PID 1848 wrote to memory of 2940	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	36
PID 1848 wrote to memory of 2940	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	36
PID 1848 wrote to memory of 2940	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	36
PID 1848 wrote to memory of 1948	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	41
PID 1848 wrote to memory of 1948	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	41
PID 1848 wrote to memory of 1948	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	41
PID 1848 wrote to memory of 1948	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	41
PID 1848 wrote to memory of 3020	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	40
PID 1848 wrote to memory of 3020	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	40
PID 1848 wrote to memory of 3020	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	40
PID 1848 wrote to memory of 3020	1848	23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe	40
PID 3020 wrote to memory of 3128	3020	net.exe	46
PID 3020 wrote to memory of 3128	3020	net.exe	46
PID 3020 wrote to memory of 3128	3020	net.exe	46
PID 3020 wrote to memory of 3128	3020	net.exe	46
PID 2904 wrote to memory of 3144	2904	net.exe	44
PID 2904 wrote to memory of 3144	2904	net.exe	44
PID 2904 wrote to memory of 3144	2904	net.exe	44
PID 2904 wrote to memory of 3144	2904	net.exe	44
PID 2940 wrote to memory of 3120	2940	net.exe	45
PID 2940 wrote to memory of 3120	2940	net.exe	45
PID 2940 wrote to memory of 3120	2940	net.exe	45
PID 2940 wrote to memory of 3120	2940	net.exe	45
PID 1948 wrote to memory of 3160	1948	net.exe	47
PID 1948 wrote to memory of 3160	1948	net.exe	47
PID 1948 wrote to memory of 3160	1948	net.exe	47
PID 1948 wrote to memory of 3160	1948	net.exe	47

C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
"C:\Users\Admin\AppData\Local\Temp\23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\thsAdXTlXrep.exe
  "C:\Users\Admin\AppData\Local\Temp\thsAdXTlXrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\JUKtPzQxKlan.exe
  "C:\Users\Admin\AppData\Local\Temp\JUKtPzQxKlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\YXyhSrmaXlan.exe
  "C:\Users\Admin\AppData\Local\Temp\YXyhSrmaXlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2708
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2720
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3120
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download