ryuk | 0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad

Analysis

max time kernel
184s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-02-2022 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
Size

207KB
MD5

36dfbe051ab87906b8de92085335bddb
SHA1

932d13cc4f14f33825d236cb7ed8c50314f73365
SHA256

0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad
SHA512

3ad79c11e252513f651c2aa066668aeb263e51643eaa15766853ae764b2fd2b65f9f631b9e701c9b1c4f05232e9b87b3cc33d84fec4930f523c45a411356eb21

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4544 created 1608	4544	WerFault.exe	53
PID 2732 created 2888	2732	WerFault.exe	35

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4788	2716	WerFault.exe	33
5884	2888	WerFault.exe	35
5876	1608	WerFault.exe	53

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
2188	sihost.exe
2188	sihost.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
2188	sihost.exe
2188	sihost.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
5876	WerFault.exe
5876	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
2188	sihost.exe
2188	sihost.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
Token: SeBackupPrivilege	2188	sihost.exe
Token: SeShutdownPrivilege	2964	RuntimeBroker.exe
Token: SeBackupPrivilege	2888	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1608	backgroundTaskHost.exe
Token: SeBackupPrivilege	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
Token: SeRestorePrivilege	4788	WerFault.exe
Token: SeBackupPrivilege	4788	WerFault.exe
Token: SeBackupPrivilege	4788	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2188	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	20
PID 1976 wrote to memory of 2208	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	23
PID 1976 wrote to memory of 2252	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	26
PID 1976 wrote to memory of 2520	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	32
PID 1976 wrote to memory of 2716	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	33
PID 1976 wrote to memory of 2888	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	35
PID 1976 wrote to memory of 2964	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	36
PID 1976 wrote to memory of 3056	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	37
PID 1976 wrote to memory of 2476	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	38
PID 1976 wrote to memory of 3360	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	41
PID 1976 wrote to memory of 3948	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	44
PID 1976 wrote to memory of 3520	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	52
PID 1976 wrote to memory of 1608	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	53
PID 2716 wrote to memory of 4788	2716	DllHost.exe	62
PID 2716 wrote to memory of 4788	2716	DllHost.exe	62
PID 2188 wrote to memory of 4996	2188	sihost.exe	65
PID 2188 wrote to memory of 4996	2188	sihost.exe	65
PID 2188 wrote to memory of 2092	2188	sihost.exe	67
PID 2188 wrote to memory of 2092	2188	sihost.exe	67
PID 1976 wrote to memory of 5184	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	70
PID 1976 wrote to memory of 5184	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	70
PID 1976 wrote to memory of 5192	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	69
PID 1976 wrote to memory of 5192	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	69
PID 4996 wrote to memory of 5312	4996	net.exe	74
PID 4996 wrote to memory of 5312	4996	net.exe	74
PID 2092 wrote to memory of 5304	2092	net.exe	73
PID 2092 wrote to memory of 5304	2092	net.exe	73
PID 1976 wrote to memory of 5340	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	71
PID 1976 wrote to memory of 5340	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	71
PID 1976 wrote to memory of 5456	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	80
PID 1976 wrote to memory of 5456	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	80
PID 5184 wrote to memory of 5436	5184	net.exe	79
PID 5184 wrote to memory of 5436	5184	net.exe	79
PID 5192 wrote to memory of 5432	5192	net.exe	78
PID 5192 wrote to memory of 5432	5192	net.exe	78
PID 5456 wrote to memory of 5588	5456	net.exe	83
PID 5456 wrote to memory of 5588	5456	net.exe	83
PID 5340 wrote to memory of 5596	5340	net.exe	82
PID 5340 wrote to memory of 5596	5340	net.exe	82
PID 4544 wrote to memory of 1608	4544	WerFault.exe	53
PID 2732 wrote to memory of 2888	2732	WerFault.exe	35
PID 4544 wrote to memory of 1608	4544	WerFault.exe	53
PID 2732 wrote to memory of 2888	2732	WerFault.exe	35
PID 2188 wrote to memory of 5968	2188	sihost.exe	86
PID 2188 wrote to memory of 5968	2188	sihost.exe	86
PID 2188 wrote to memory of 5980	2188	sihost.exe	87
PID 2188 wrote to memory of 5980	2188	sihost.exe	87
PID 5968 wrote to memory of 6100	5968	net.exe	91
PID 5968 wrote to memory of 6100	5968	net.exe	91
PID 5980 wrote to memory of 6104	5980	net.exe	90
PID 5980 wrote to memory of 6104	5980	net.exe	90
PID 1976 wrote to memory of 4500	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	92
PID 1976 wrote to memory of 4500	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	92
PID 1976 wrote to memory of 2116	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	93
PID 1976 wrote to memory of 2116	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	93
PID 4500 wrote to memory of 2576	4500	net.exe	97
PID 4500 wrote to memory of 2576	4500	net.exe	97
PID 2116 wrote to memory of 452	2116	net.exe	98
PID 2116 wrote to memory of 452	2116	net.exe	98
PID 1976 wrote to memory of 1288	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	99
PID 1976 wrote to memory of 1288	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	99
PID 1288 wrote to memory of 2172	1288	net.exe	101
PID 1288 wrote to memory of 2172	1288	net.exe	101
PID 1976 wrote to memory of 1896	1976	0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe	102

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5312
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5304
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6100
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:5964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2208

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2716 -s 924
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2888 -s 1316
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1608 -s 3236
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5876

C:\Users\Admin\AppData\Local\Temp\0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe
"C:\Users\Admin\AppData\Local\Temp\0acb78ccddd5b957983294ce68aa5526b7b703c8d047bb25fcbd7692d8679dad.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5432
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5596
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5588
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:452
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2172
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3504
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5724

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 1608 -ip 1608
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 2888 -ip 2888
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:5424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-130-0x00007FF6CAAB0000-0x00007FF6CAD8B000-memory.dmp

Filesize
2.9MB

Download
memory/2208-131-0x00007FF6CAAB0000-0x00007FF6CAD8B000-memory.dmp

Filesize
2.9MB

Download