ryuk | 907503b17094e4849d3f2b17f132c745e4a39c4c1b55c08b3e1d381c70c381d2

Analysis

max time kernel
129s
max time network
140s
platform
windows10_x64
resource
win10v20210408
submitted
09-08-2021 08:21

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
Size

273KB
MD5

0eed6a270c65ab473f149b8b13c46c68
SHA1

bffb380ef3952770464823d55d0f4dfa6ab0b8df
SHA256

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
SHA512

1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'lRwc4TXe'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
2532	UvlMhSbKOrep.exe
1580	rWiHMWnKMlan.exe
2040	SEnwfEcvOlan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4668	icacls.exe
4680	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h2x.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\default.jfc	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\ui-strings.js	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\acrobat_pdf.svg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZY______.PFB	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\nl_get.svg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2532	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	78
PID 516 wrote to memory of 2532	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	78
PID 516 wrote to memory of 2532	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	78
PID 516 wrote to memory of 1580	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	79
PID 516 wrote to memory of 1580	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	79
PID 516 wrote to memory of 1580	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	79
PID 516 wrote to memory of 2040	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	81
PID 516 wrote to memory of 2040	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	81
PID 516 wrote to memory of 2040	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	81
PID 516 wrote to memory of 4668	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	83
PID 516 wrote to memory of 4668	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	83
PID 516 wrote to memory of 4668	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	83
PID 516 wrote to memory of 4680	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	84
PID 516 wrote to memory of 4680	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	84
PID 516 wrote to memory of 4680	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	84
PID 516 wrote to memory of 188	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	87
PID 516 wrote to memory of 188	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	87
PID 516 wrote to memory of 188	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	87
PID 516 wrote to memory of 4612	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	89
PID 516 wrote to memory of 4612	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	89
PID 516 wrote to memory of 4612	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	89
PID 188 wrote to memory of 5040	188	net.exe	90
PID 188 wrote to memory of 5040	188	net.exe	90
PID 188 wrote to memory of 5040	188	net.exe	90
PID 516 wrote to memory of 4936	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	92
PID 516 wrote to memory of 4936	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	92
PID 516 wrote to memory of 4936	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	92
PID 4612 wrote to memory of 4896	4612	net.exe	94
PID 4612 wrote to memory of 4896	4612	net.exe	94
PID 4612 wrote to memory of 4896	4612	net.exe	94
PID 4936 wrote to memory of 4828	4936	net.exe	97
PID 4936 wrote to memory of 4828	4936	net.exe	97
PID 4936 wrote to memory of 4828	4936	net.exe	97
PID 516 wrote to memory of 4816	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	95
PID 516 wrote to memory of 4816	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	95
PID 516 wrote to memory of 4816	516	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	95
PID 4816 wrote to memory of 4900	4816	net.exe	98
PID 4816 wrote to memory of 4900	4816	net.exe	98
PID 4816 wrote to memory of 4900	4816	net.exe	98

C:\Users\Admin\AppData\Local\Temp\7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
"C:\Users\Admin\AppData\Local\Temp\7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\UvlMhSbKOrep.exe
  "C:\Users\Admin\AppData\Local\Temp\UvlMhSbKOrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\rWiHMWnKMlan.exe
  "C:\Users\Admin\AppData\Local\Temp\rWiHMWnKMlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\SEnwfEcvOlan.exe
  "C:\Users\Admin\AppData\Local\Temp\SEnwfEcvOlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4668
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5040
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad3855 /state1:0x41c64e6d
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-114-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/516-115-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/2532-119-0x00000000001D0000-0x00000000001F1000-memory.dmp

Filesize
132KB

Download