ryuk | 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8

Analysis

max time kernel
155s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
Size

116KB
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Loads dropped DLL 10 IoCs

pid	Process
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
1708	msiexec.exe
1708	msiexec.exe
2948	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1296	icacls.exe
1192	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02267_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEML.ICO	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00330_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunec.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XIMAGE3B.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OFFOWCI.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF20F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBF1.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e3ba.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF941.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74e3ba.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE62A.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e3bc.ipi	msiexec.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1708	msiexec.exe
1708	msiexec.exe
1708	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	29
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	29
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	29
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	29
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	31
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	31
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	31
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	31
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2280	1708	msiexec.exe	35
PID 1708 wrote to memory of 2948	1708	msiexec.exe	36
PID 1708 wrote to memory of 2948	1708	msiexec.exe	36
PID 1708 wrote to memory of 2948	1708	msiexec.exe	36
PID 1708 wrote to memory of 2948	1708	msiexec.exe	36
PID 1708 wrote to memory of 2948	1708	msiexec.exe	36

C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
"C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1296
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 990046DBDC962EDFF1D0E1A027155F54
  2⤵
  - Loads dropped DLL
  PID:2280
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A7C19FF8D9A53659ADC0D7C2B6E9ADA0
  2⤵
  - Loads dropped DLL
  PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-60-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1708-110-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download