ryuk | 907503b17094e4849d3f2b17f132c745e4a39c4c1b55c08b3e1d381c70c381d2

Analysis

max time kernel
115s
max time network
159s
platform
windows7_x64
resource
win7v20210410
submitted
09-08-2021 08:21

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
Size

273KB
MD5

0eed6a270c65ab473f149b8b13c46c68
SHA1

bffb380ef3952770464823d55d0f4dfa6ab0b8df
SHA256

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
SHA512

1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'lRwc4TXe'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1716	bLYVPWLORrep.exe
572	bhSWXvhqZlan.exe
1008	XzHZOxtwqlan.exe

Loads dropped DLL 3 IoCs

pid	Process
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2616	icacls.exe
2604	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	29
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	29
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	29
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	29
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	30
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	30
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	30
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	30
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	31
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	31
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	31
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	31
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	32
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	32
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	32
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	32
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	33
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	33
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	33
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	33
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	37
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	37
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	37
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	37
PID 3096 wrote to memory of 3132	3096	net.exe	38
PID 3096 wrote to memory of 3132	3096	net.exe	38
PID 3096 wrote to memory of 3132	3096	net.exe	38
PID 3096 wrote to memory of 3132	3096	net.exe	38
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	39
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	39
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	39
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	39
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	40
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	40
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	40
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	40
PID 3552 wrote to memory of 3592	3552	net.exe	43
PID 3552 wrote to memory of 3592	3552	net.exe	43
PID 3552 wrote to memory of 3592	3552	net.exe	43
PID 3552 wrote to memory of 3592	3552	net.exe	43
PID 3244 wrote to memory of 3652	3244	net.exe	45
PID 3244 wrote to memory of 3652	3244	net.exe	45
PID 3244 wrote to memory of 3652	3244	net.exe	45
PID 3244 wrote to memory of 3652	3244	net.exe	45
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	44
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	44
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	44
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	44
PID 3664 wrote to memory of 3708	3664	net.exe	47
PID 3664 wrote to memory of 3708	3664	net.exe	47
PID 3664 wrote to memory of 3708	3664	net.exe	47
PID 3664 wrote to memory of 3708	3664	net.exe	47

C:\Users\Admin\AppData\Local\Temp\7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
"C:\Users\Admin\AppData\Local\Temp\7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\bLYVPWLORrep.exe
  "C:\Users\Admin\AppData\Local\Temp\bLYVPWLORrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\bhSWXvhqZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\bhSWXvhqZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Users\Admin\AppData\Local\Temp\XzHZOxtwqlan.exe
  "C:\Users\Admin\AppData\Local\Temp\XzHZOxtwqlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2604
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3652
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-62-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/1268-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1268-60-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/3228-145-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3376-142-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/3376-143-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download