ryuk | fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303

Analysis

max time kernel
183s
max time network
217s
platform
windows7_x64
resource
win7-en-20211208
submitted
19/02/2022, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
Size

120KB
MD5

8e0ce316072caa6dd41159dbd5619ece
SHA1

0adbcb1734289e7e430ed8fbe44244aadd7b50e4
SHA256

fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303
SHA512

a0f0fd7245b9fbb3edbf4d450964e7e9475855ba058e9dff0414bd98df4847a027cb0c9ff12a994bcaf651a8dd871bce924fced0e4735cfe7ec258ffa9d05df4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '2neBqEej6'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1148	adStLBMrerep.exe
308	FCQrkZRtxlan.exe
1272	KTFiizbqRlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
17944	icacls.exe
17952	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\R:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\Q:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\H:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\G:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\X:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\Y:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\S:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\O:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\J:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\I:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\Z:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\V:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\U:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\T:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\N:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\M:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\L:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\K:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\W:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\E:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened (read-only)	\??\F:	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1148	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	29
PID 1068 wrote to memory of 1148	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	29
PID 1068 wrote to memory of 1148	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	29
PID 1068 wrote to memory of 1148	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	29
PID 1068 wrote to memory of 308	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	30
PID 1068 wrote to memory of 308	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	30
PID 1068 wrote to memory of 308	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	30
PID 1068 wrote to memory of 308	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	30
PID 1068 wrote to memory of 1272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	31
PID 1068 wrote to memory of 1272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	31
PID 1068 wrote to memory of 1272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	31
PID 1068 wrote to memory of 1272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	31
PID 1068 wrote to memory of 17944	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	32
PID 1068 wrote to memory of 17944	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	32
PID 1068 wrote to memory of 17944	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	32
PID 1068 wrote to memory of 17944	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	32
PID 1068 wrote to memory of 17952	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	33
PID 1068 wrote to memory of 17952	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	33
PID 1068 wrote to memory of 17952	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	33
PID 1068 wrote to memory of 17952	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	33
PID 1068 wrote to memory of 84188	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	36
PID 1068 wrote to memory of 84188	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	36
PID 1068 wrote to memory of 84188	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	36
PID 1068 wrote to memory of 84188	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	36
PID 1068 wrote to memory of 84196	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	38
PID 1068 wrote to memory of 84196	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	38
PID 1068 wrote to memory of 84196	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	38
PID 1068 wrote to memory of 84196	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	38
PID 1068 wrote to memory of 84248	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	40
PID 1068 wrote to memory of 84248	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	40
PID 1068 wrote to memory of 84248	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	40
PID 1068 wrote to memory of 84248	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	40
PID 1068 wrote to memory of 84272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	42
PID 1068 wrote to memory of 84272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	42
PID 1068 wrote to memory of 84272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	42
PID 1068 wrote to memory of 84272	1068	fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe	42
PID 84248 wrote to memory of 84324	84248	net.exe	47
PID 84248 wrote to memory of 84324	84248	net.exe	47
PID 84248 wrote to memory of 84324	84248	net.exe	47
PID 84248 wrote to memory of 84324	84248	net.exe	47
PID 84196 wrote to memory of 84332	84196	net.exe	45
PID 84196 wrote to memory of 84332	84196	net.exe	45
PID 84196 wrote to memory of 84332	84196	net.exe	45
PID 84196 wrote to memory of 84332	84196	net.exe	45
PID 84272 wrote to memory of 84308	84272	net.exe	46
PID 84272 wrote to memory of 84308	84272	net.exe	46
PID 84272 wrote to memory of 84308	84272	net.exe	46
PID 84272 wrote to memory of 84308	84272	net.exe	46
PID 84188 wrote to memory of 84316	84188	net.exe	44
PID 84188 wrote to memory of 84316	84188	net.exe	44
PID 84188 wrote to memory of 84316	84188	net.exe	44
PID 84188 wrote to memory of 84316	84188	net.exe	44

C:\Users\Admin\AppData\Local\Temp\fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe
"C:\Users\Admin\AppData\Local\Temp\fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\adStLBMrerep.exe
  "C:\Users\Admin\AppData\Local\Temp\adStLBMrerep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\FCQrkZRtxlan.exe
  "C:\Users\Admin\AppData\Local\Temp\FCQrkZRtxlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Users\Admin\AppData\Local\Temp\KTFiizbqRlan.exe
  "C:\Users\Admin\AppData\Local\Temp\KTFiizbqRlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17944
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:17952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:84188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:84316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:84196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:84332
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:84248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:84324
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:84272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:84308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download