ryuk | eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7

Analysis

max time kernel
168s
max time network
34s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 00:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
Size

204KB
MD5

9c4659495814126809f7fd4b9566b124
SHA1

194877eb67fe9b160eaaa2d8a908a04d4e8c4d62
SHA256

eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7
SHA512

4e439bc0e886347194ef339aea90db6769149121cd85f4f8ca6a1f66546df5afac6de447d6cb61f1c6f484548cb1a4ad57bcd318fafb7b779889012514f7fa5d

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
1256	taskhost.exe
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
1256	taskhost.exe
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
1256	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
Token: SeBackupPrivilege	1256	taskhost.exe
Token: SeBackupPrivilege	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1256	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	16
PID 2036 wrote to memory of 1332	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	18
PID 2036 wrote to memory of 696	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	27
PID 2036 wrote to memory of 696	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	27
PID 2036 wrote to memory of 696	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	27
PID 2036 wrote to memory of 1372	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	29
PID 2036 wrote to memory of 1372	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	29
PID 2036 wrote to memory of 1372	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	29
PID 696 wrote to memory of 944	696	net.exe	31
PID 696 wrote to memory of 944	696	net.exe	31
PID 696 wrote to memory of 944	696	net.exe	31
PID 1372 wrote to memory of 1148	1372	net.exe	32
PID 1372 wrote to memory of 1148	1372	net.exe	32
PID 1372 wrote to memory of 1148	1372	net.exe	32
PID 2036 wrote to memory of 1728	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	33
PID 2036 wrote to memory of 1728	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	33
PID 2036 wrote to memory of 1728	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	33
PID 1256 wrote to memory of 1804	1256	taskhost.exe	35
PID 1256 wrote to memory of 1804	1256	taskhost.exe	35
PID 1256 wrote to memory of 1804	1256	taskhost.exe	35
PID 1728 wrote to memory of 1072	1728	net.exe	37
PID 1728 wrote to memory of 1072	1728	net.exe	37
PID 1728 wrote to memory of 1072	1728	net.exe	37
PID 1804 wrote to memory of 2040	1804	net.exe	38
PID 1804 wrote to memory of 2040	1804	net.exe	38
PID 1804 wrote to memory of 2040	1804	net.exe	38
PID 2036 wrote to memory of 1624	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	39
PID 2036 wrote to memory of 1624	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	39
PID 2036 wrote to memory of 1624	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	39
PID 1256 wrote to memory of 456	1256	taskhost.exe	41
PID 1256 wrote to memory of 456	1256	taskhost.exe	41
PID 1256 wrote to memory of 456	1256	taskhost.exe	41
PID 1624 wrote to memory of 1068	1624	net.exe	43
PID 1624 wrote to memory of 1068	1624	net.exe	43
PID 1624 wrote to memory of 1068	1624	net.exe	43
PID 456 wrote to memory of 1960	456	net.exe	44
PID 456 wrote to memory of 1960	456	net.exe	44
PID 456 wrote to memory of 1960	456	net.exe	44
PID 2036 wrote to memory of 17716	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	47
PID 2036 wrote to memory of 17716	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	47
PID 2036 wrote to memory of 17716	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	47
PID 17716 wrote to memory of 17740	17716	net.exe	49
PID 17716 wrote to memory of 17740	17716	net.exe	49
PID 17716 wrote to memory of 17740	17716	net.exe	49
PID 2036 wrote to memory of 17760	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	51
PID 2036 wrote to memory of 17760	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	51
PID 2036 wrote to memory of 17760	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	51
PID 1256 wrote to memory of 17768	1256	taskhost.exe	50
PID 1256 wrote to memory of 17768	1256	taskhost.exe	50
PID 1256 wrote to memory of 17768	1256	taskhost.exe	50
PID 17768 wrote to memory of 17808	17768	net.exe	55
PID 17768 wrote to memory of 17808	17768	net.exe	55
PID 17768 wrote to memory of 17808	17768	net.exe	55
PID 17760 wrote to memory of 17816	17760	net.exe	54
PID 17760 wrote to memory of 17816	17760	net.exe	54
PID 17760 wrote to memory of 17816	17760	net.exe	54
PID 2036 wrote to memory of 18268	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	56
PID 2036 wrote to memory of 18268	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	56
PID 2036 wrote to memory of 18268	2036	eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe	56
PID 18268 wrote to memory of 18292	18268	net.exe	58
PID 18268 wrote to memory of 18292	18268	net.exe	58
PID 18268 wrote to memory of 18292	18268	net.exe	58
PID 1256 wrote to memory of 1100	1256	taskhost.exe	60
PID 1256 wrote to memory of 1100	1256	taskhost.exe	60

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1960
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:17768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:17808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe
"C:\Users\Admin\AppData\Local\Temp\eb603b5c296bed3b649a2aea6b76c71fbee4b7882165570e3614b4df0e8659e7.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1148
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1072
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1068
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:17716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:17740
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:17760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:17816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18292
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-56-0x000000013F370000-0x000000013F649000-memory.dmp

Filesize
2.8MB

Download
memory/1256-55-0x000000013F370000-0x000000013F649000-memory.dmp

Filesize
2.8MB

Download
memory/1332-58-0x000000013F370000-0x000000013F649000-memory.dmp

Filesize
2.8MB

Download
memory/2036-54-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download