ryuk | 74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f

Resubmissions

13/07/2021, 07:27

210713-ndxveajg2s 10

Analysis

max time kernel
150s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
13/07/2021, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
Size

186KB
MD5

45f643feeb41a49320ba6bfdc2968f4e
SHA1

572c0f765ab89777ef63dd00f6c7970bc0219e06
SHA256

74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f
SHA512

326b14e3e577eb8839a514f6313b45470f15ab9af90d7213ebf471015ceccbc2926282384ddabceac33ef2c2cfef7e3b04743f19dc7c1f4d11fb0a423bcd3d0e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1152	SEhpNMG.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_24x24x32.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-400.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\ui-strings.js	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5034_40x40x32.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-unplated.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\granite.jpg	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.sad.scale-200.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-200.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5666_20x20x32.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation_Dark.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\envy.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-200.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.5efe4060.pri	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SplashScreen\SolitaireTitle_Lrg.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\SmallLogo.scale-200.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\plus_icon.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_20x20x32.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\ui-strings.js	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.ps1	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\RyukReadMe.html	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-125.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_20x20x32.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\WideTile.scale-100.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ru_135x40.svg	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Hard.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_badge_compact.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-125.png	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
1152	SEhpNMG.exe
1152	SEhpNMG.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
1152	SEhpNMG.exe
1152	SEhpNMG.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
1152	SEhpNMG.exe
1152	SEhpNMG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
Token: SeBackupPrivilege	1152	SEhpNMG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 1152	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	73
PID 4024 wrote to memory of 1152	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	73
PID 4024 wrote to memory of 1152	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	73
PID 4024 wrote to memory of 1380	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	74
PID 4024 wrote to memory of 1380	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	74
PID 4024 wrote to memory of 1380	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	74
PID 1380 wrote to memory of 2020	1380	net.exe	76
PID 1380 wrote to memory of 2020	1380	net.exe	76
PID 1380 wrote to memory of 2020	1380	net.exe	76
PID 4024 wrote to memory of 2160	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	77
PID 4024 wrote to memory of 2160	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	77
PID 4024 wrote to memory of 2160	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	77
PID 2160 wrote to memory of 2424	2160	net.exe	79
PID 2160 wrote to memory of 2424	2160	net.exe	79
PID 2160 wrote to memory of 2424	2160	net.exe	79
PID 4024 wrote to memory of 3868	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	82
PID 4024 wrote to memory of 3868	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	82
PID 4024 wrote to memory of 3868	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	82
PID 3868 wrote to memory of 2456	3868	net.exe	84
PID 3868 wrote to memory of 2456	3868	net.exe	84
PID 3868 wrote to memory of 2456	3868	net.exe	84
PID 4024 wrote to memory of 2520	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	85
PID 4024 wrote to memory of 2520	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	85
PID 4024 wrote to memory of 2520	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	85
PID 2520 wrote to memory of 4152	2520	net.exe	87
PID 2520 wrote to memory of 4152	2520	net.exe	87
PID 2520 wrote to memory of 4152	2520	net.exe	87
PID 1152 wrote to memory of 6200	1152	SEhpNMG.exe	88
PID 1152 wrote to memory of 6200	1152	SEhpNMG.exe	88
PID 1152 wrote to memory of 6200	1152	SEhpNMG.exe	88
PID 6200 wrote to memory of 6336	6200	net.exe	90
PID 6200 wrote to memory of 6336	6200	net.exe	90
PID 6200 wrote to memory of 6336	6200	net.exe	90
PID 4024 wrote to memory of 46176	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	96
PID 4024 wrote to memory of 46176	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	96
PID 4024 wrote to memory of 46176	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	96
PID 46176 wrote to memory of 46268	46176	net.exe	98
PID 46176 wrote to memory of 46268	46176	net.exe	98
PID 46176 wrote to memory of 46268	46176	net.exe	98
PID 4024 wrote to memory of 47472	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	99
PID 4024 wrote to memory of 47472	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	99
PID 4024 wrote to memory of 47472	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	99
PID 47472 wrote to memory of 47576	47472	net.exe	101
PID 47472 wrote to memory of 47576	47472	net.exe	101
PID 47472 wrote to memory of 47576	47472	net.exe	101
PID 1152 wrote to memory of 55536	1152	SEhpNMG.exe	102
PID 1152 wrote to memory of 55536	1152	SEhpNMG.exe	102
PID 1152 wrote to memory of 55536	1152	SEhpNMG.exe	102
PID 55536 wrote to memory of 55744	55536	net.exe	104
PID 55536 wrote to memory of 55744	55536	net.exe	104
PID 55536 wrote to memory of 55744	55536	net.exe	104
PID 4024 wrote to memory of 114448	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	106
PID 4024 wrote to memory of 114448	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	106
PID 4024 wrote to memory of 114448	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	106
PID 4024 wrote to memory of 114480	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	108
PID 4024 wrote to memory of 114480	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	108
PID 4024 wrote to memory of 114480	4024	74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe	108
PID 114448 wrote to memory of 114620	114448	net.exe	110
PID 114448 wrote to memory of 114620	114448	net.exe	110
PID 114448 wrote to memory of 114620	114448	net.exe	110
PID 114480 wrote to memory of 114636	114480	net.exe	111
PID 114480 wrote to memory of 114636	114480	net.exe	111
PID 114480 wrote to memory of 114636	114480	net.exe	111
PID 1152 wrote to memory of 118916	1152	SEhpNMG.exe	112

C:\Users\Admin\AppData\Local\Temp\74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
"C:\Users\Admin\AppData\Local\Temp\74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\SEhpNMG.exe
  "C:\Users\Admin\AppData\Local\Temp\SEhpNMG.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:6336
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:55536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:55744
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:118916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:118964
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2020
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2424
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2456
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:46268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:47472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:47576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:114448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:114620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:114480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:114636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...