ryuk | 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

Analysis

max time kernel
141s
max time network
73s
platform
windows7_x64
resource
win7v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Size

132KB
MD5

ab3681a8456319f1330f7525ec6935c3
SHA1

244e178e2073247893025bd51eb7618173bbac29
SHA256

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA512

63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
964	bcdedit.exe
1988	bcdedit.exe
3320	bcdedit.exe
3620	bcdedit.exe

Executes dropped EXE 2 IoCs

pid	Process
1768	GnbrVovnalan.exe
1244	CHzchNQeHlan.exe

Loads dropped DLL 4 IoCs

pid	Process
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
920	icacls.exe
1952	icacls.exe
1084	icacls.exe
1688	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffe\ufffeC:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified.RYK	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\RyukReadMe.html	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\London	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\RyukReadMe.html	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	taskhost.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\RyukReadMe.html	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2008	vssadmin.exe
2484	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1124	taskhost.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1124	taskhost.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1124	taskhost.exe
Token: SeBackupPrivilege	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
Token: SeBackupPrivilege	1768	GnbrVovnalan.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1768	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	29
PID 1344 wrote to memory of 1768	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	29
PID 1344 wrote to memory of 1768	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	29
PID 1344 wrote to memory of 1244	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	30
PID 1344 wrote to memory of 1244	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	30
PID 1344 wrote to memory of 1244	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	30
PID 1344 wrote to memory of 1124	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	8
PID 1344 wrote to memory of 1536	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	31
PID 1344 wrote to memory of 1536	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	31
PID 1344 wrote to memory of 1536	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	31
PID 1344 wrote to memory of 588	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	33
PID 1344 wrote to memory of 588	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	33
PID 1344 wrote to memory of 588	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	33
PID 1344 wrote to memory of 1176	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	7
PID 1536 wrote to memory of 1572	1536	net.exe	35
PID 1536 wrote to memory of 1572	1536	net.exe	35
PID 1536 wrote to memory of 1572	1536	net.exe	35
PID 588 wrote to memory of 1748	588	net.exe	36
PID 588 wrote to memory of 1748	588	net.exe	36
PID 588 wrote to memory of 1748	588	net.exe	36
PID 1124 wrote to memory of 544	1124	taskhost.exe	37
PID 1124 wrote to memory of 544	1124	taskhost.exe	37
PID 1124 wrote to memory of 544	1124	taskhost.exe	37
PID 1124 wrote to memory of 1016	1124	taskhost.exe	39
PID 1124 wrote to memory of 1016	1124	taskhost.exe	39
PID 1124 wrote to memory of 1016	1124	taskhost.exe	39
PID 1124 wrote to memory of 240	1124	taskhost.exe	38
PID 1124 wrote to memory of 240	1124	taskhost.exe	38
PID 1124 wrote to memory of 240	1124	taskhost.exe	38
PID 1124 wrote to memory of 1120	1124	taskhost.exe	42
PID 1124 wrote to memory of 1120	1124	taskhost.exe	42
PID 1124 wrote to memory of 1120	1124	taskhost.exe	42
PID 1124 wrote to memory of 920	1124	taskhost.exe	45
PID 1124 wrote to memory of 920	1124	taskhost.exe	45
PID 1124 wrote to memory of 920	1124	taskhost.exe	45
PID 1124 wrote to memory of 1952	1124	taskhost.exe	47
PID 1124 wrote to memory of 1952	1124	taskhost.exe	47
PID 1124 wrote to memory of 1952	1124	taskhost.exe	47
PID 1016 wrote to memory of 2008	1016	cmd.exe	50
PID 1016 wrote to memory of 2008	1016	cmd.exe	50
PID 1016 wrote to memory of 2008	1016	cmd.exe	50
PID 240 wrote to memory of 964	240	cmd.exe	49
PID 240 wrote to memory of 964	240	cmd.exe	49
PID 240 wrote to memory of 964	240	cmd.exe	49
PID 544 wrote to memory of 1588	544	cmd.exe	51
PID 544 wrote to memory of 1588	544	cmd.exe	51
PID 544 wrote to memory of 1588	544	cmd.exe	51
PID 1124 wrote to memory of 1688	1124	taskhost.exe	52
PID 1124 wrote to memory of 1688	1124	taskhost.exe	52
PID 1124 wrote to memory of 1688	1124	taskhost.exe	52
PID 1124 wrote to memory of 1708	1124	taskhost.exe	53
PID 1124 wrote to memory of 1708	1124	taskhost.exe	53
PID 1124 wrote to memory of 1708	1124	taskhost.exe	53
PID 1708 wrote to memory of 2040	1708	net.exe	58
PID 1708 wrote to memory of 2040	1708	net.exe	58
PID 1708 wrote to memory of 2040	1708	net.exe	58
PID 1688 wrote to memory of 2000	1688	cmd.exe	56
PID 1688 wrote to memory of 2000	1688	cmd.exe	56
PID 1688 wrote to memory of 2000	1688	cmd.exe	56
PID 240 wrote to memory of 1988	240	cmd.exe	57
PID 240 wrote to memory of 1988	240	cmd.exe	57
PID 240 wrote to memory of 1988	240	cmd.exe	57
PID 1344 wrote to memory of 1076	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	60
PID 1344 wrote to memory of 1076	1344	1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe	60

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:964
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1120
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:920
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:48324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:48352
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:82616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:83036

C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe
  "C:\Users\Admin\AppData\Local\Temp\GnbrVovnalan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe
  "C:\Users\Admin\AppData\Local\Temp\CHzchNQeHlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1572
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1748
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delete"
  2⤵
  PID:1076
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\system32\cmd.exe
  cmd /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1988
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2484
- C:\Windows\system32\cmd.exe
  cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:432
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3320
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3620
- C:\Windows\system32\cmd.exe
  cmd /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1684
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1084
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
  2⤵
  PID:2080
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:3308
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2872
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:45620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:45648
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:49640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:49680
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:79156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:79560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:83052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:83080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-70-0x000000013F890000-0x000000013F9F3000-memory.dmp

Filesize
1.4MB

Download
memory/1176-74-0x000000013F890000-0x000000013F9F3000-memory.dmp

Filesize
1.4MB

Download
memory/1344-60-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download