Analysis
-
max time kernel
181s -
max time network
311s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 12:46
Static task
static1
Behavioral task
behavioral1
Sample
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
-
Size
144KB
-
MD5
89895cf4c88f13e5797aab63dddf1078
-
SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5
-
SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
-
SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 372 1073r.exe 1032 fvOOUhBaClan.exe 1232 IEwuQeDAslan.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\MovePop.tif => C:\Users\Admin\Pictures\MovePop.tif.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File renamed C:\Users\Admin\Pictures\SuspendConvert.raw => C:\Users\Admin\Pictures\SuspendConvert.raw.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File renamed C:\Users\Admin\Pictures\MountRemove.raw => C:\Users\Admin\Pictures\MountRemove.raw.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File renamed C:\Users\Admin\Pictures\SaveHide.png => C:\Users\Admin\Pictures\SaveHide.png.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File renamed C:\Users\Admin\Pictures\RepairUninstall.raw => C:\Users\Admin\Pictures\RepairUninstall.raw.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4688 icacls.exe 1436 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\F: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\T: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\S: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\M: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\I: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\H: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\G: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\V: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\U: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\B: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\R: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\K: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\J: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\Z: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\Y: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\Q: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\P: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\N: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\L: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\E: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\X: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened (read-only) \??\W: 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down-pressed.gif.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\ui-strings.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\ConfirmSwitch.mov.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\RyukReadMe.html 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.RYK 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4768 SCHTASKS.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4248 taskmgr.exe Token: SeSystemProfilePrivilege 4248 taskmgr.exe Token: SeCreateGlobalPrivilege 4248 taskmgr.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe 4248 taskmgr.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3704 wrote to memory of 372 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 73 PID 3704 wrote to memory of 372 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 73 PID 3704 wrote to memory of 372 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 73 PID 3704 wrote to memory of 1032 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 74 PID 3704 wrote to memory of 1032 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 74 PID 3704 wrote to memory of 1032 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 74 PID 3704 wrote to memory of 1232 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 75 PID 3704 wrote to memory of 1232 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 75 PID 3704 wrote to memory of 1232 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 75 PID 3704 wrote to memory of 4688 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 76 PID 3704 wrote to memory of 4688 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 76 PID 3704 wrote to memory of 4688 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 76 PID 3704 wrote to memory of 1436 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 77 PID 3704 wrote to memory of 1436 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 77 PID 3704 wrote to memory of 1436 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 77 PID 3704 wrote to memory of 4920 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 81 PID 3704 wrote to memory of 4920 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 81 PID 3704 wrote to memory of 4920 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 81 PID 3704 wrote to memory of 4176 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 80 PID 3704 wrote to memory of 4176 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 80 PID 3704 wrote to memory of 4176 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 80 PID 3704 wrote to memory of 4644 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 85 PID 3704 wrote to memory of 4644 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 85 PID 3704 wrote to memory of 4644 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 85 PID 3704 wrote to memory of 2336 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 84 PID 3704 wrote to memory of 2336 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 84 PID 3704 wrote to memory of 2336 3704 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe 84 PID 4644 wrote to memory of 2608 4644 net.exe 88 PID 4644 wrote to memory of 2608 4644 net.exe 88 PID 4644 wrote to memory of 2608 4644 net.exe 88 PID 4920 wrote to memory of 1340 4920 net.exe 89 PID 4920 wrote to memory of 1340 4920 net.exe 89 PID 4920 wrote to memory of 1340 4920 net.exe 89 PID 4176 wrote to memory of 4900 4176 net.exe 91 PID 4176 wrote to memory of 4900 4176 net.exe 91 PID 4176 wrote to memory of 4900 4176 net.exe 91 PID 2336 wrote to memory of 4836 2336 net.exe 90 PID 2336 wrote to memory of 4836 2336 net.exe 90 PID 2336 wrote to memory of 4836 2336 net.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\1073r.exe"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP2⤵
- Executes dropped EXE
PID:372
-
-
C:\Users\Admin\AppData\Local\Temp\fvOOUhBaClan.exe"C:\Users\Admin\AppData\Local\Temp\fvOOUhBaClan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\IEwuQeDAslan.exe"C:\Users\Admin\AppData\Local\Temp\IEwuQeDAslan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1232
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4688
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1436
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4900
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1340
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4836
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /CREATE /NP /SC DAILY /TN "Prints1" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\g2o9m.dll" /ST 10:25 /SD 10/21/2021 /ED 10/28/20212⤵
- Creates scheduled task(s)
PID:4768
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:9028
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:8740
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:9016
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4248