ryuk | f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605

Analysis

max time kernel
191s
max time network
55s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
Size

207KB
MD5

0d194b223e038d4c652484549f613763
SHA1

19d367df7f0c3530c6650fe6355e3d9da3378419
SHA256

f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605
SHA512

e9de3df5f2aaa2e1ea576ad5f3a0e0dc27ce4fd9837c2a5505f54122f20ec0b0bafe0a9f54dd02f8e9cc40664eb54ee2d85634483d60ddf8e352c89de3d70a51

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1140	taskhost.exe
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1140	taskhost.exe
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
1140	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
Token: SeBackupPrivilege	1140	taskhost.exe
Token: SeBackupPrivilege	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1140	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	11
PID 1072 wrote to memory of 1252	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	19
PID 1072 wrote to memory of 560	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	29
PID 1072 wrote to memory of 560	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	29
PID 1072 wrote to memory of 560	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	29
PID 1072 wrote to memory of 1768	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	31
PID 1072 wrote to memory of 1768	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	31
PID 1072 wrote to memory of 1768	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	31
PID 1768 wrote to memory of 436	1768	net.exe	34
PID 1768 wrote to memory of 436	1768	net.exe	34
PID 1768 wrote to memory of 436	1768	net.exe	34
PID 560 wrote to memory of 1108	560	net.exe	33
PID 560 wrote to memory of 1108	560	net.exe	33
PID 560 wrote to memory of 1108	560	net.exe	33
PID 1072 wrote to memory of 1008	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	35
PID 1072 wrote to memory of 1008	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	35
PID 1072 wrote to memory of 1008	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	35
PID 1140 wrote to memory of 1332	1140	taskhost.exe	36
PID 1140 wrote to memory of 1332	1140	taskhost.exe	36
PID 1140 wrote to memory of 1332	1140	taskhost.exe	36
PID 1332 wrote to memory of 928	1332	net.exe	40
PID 1332 wrote to memory of 928	1332	net.exe	40
PID 1332 wrote to memory of 928	1332	net.exe	40
PID 1008 wrote to memory of 292	1008	net.exe	39
PID 1008 wrote to memory of 292	1008	net.exe	39
PID 1008 wrote to memory of 292	1008	net.exe	39
PID 1140 wrote to memory of 688	1140	taskhost.exe	41
PID 1140 wrote to memory of 688	1140	taskhost.exe	41
PID 1140 wrote to memory of 688	1140	taskhost.exe	41
PID 1072 wrote to memory of 1532	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	43
PID 1072 wrote to memory of 1532	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	43
PID 1072 wrote to memory of 1532	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	43
PID 1532 wrote to memory of 2024	1532	net.exe	46
PID 1532 wrote to memory of 2024	1532	net.exe	46
PID 1532 wrote to memory of 2024	1532	net.exe	46
PID 688 wrote to memory of 1724	688	net.exe	45
PID 688 wrote to memory of 1724	688	net.exe	45
PID 688 wrote to memory of 1724	688	net.exe	45
PID 1072 wrote to memory of 27164	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	48
PID 1072 wrote to memory of 27164	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	48
PID 1072 wrote to memory of 27164	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	48
PID 27164 wrote to memory of 27188	27164	net.exe	50
PID 27164 wrote to memory of 27188	27164	net.exe	50
PID 27164 wrote to memory of 27188	27164	net.exe	50
PID 1140 wrote to memory of 27216	1140	taskhost.exe	51
PID 1140 wrote to memory of 27216	1140	taskhost.exe	51
PID 1140 wrote to memory of 27216	1140	taskhost.exe	51
PID 1072 wrote to memory of 27224	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	52
PID 1072 wrote to memory of 27224	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	52
PID 1072 wrote to memory of 27224	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	52
PID 27224 wrote to memory of 27264	27224	net.exe	55
PID 27216 wrote to memory of 27272	27216	net.exe	56
PID 27224 wrote to memory of 27264	27224	net.exe	55
PID 27216 wrote to memory of 27272	27216	net.exe	56
PID 27224 wrote to memory of 27264	27224	net.exe	55
PID 27216 wrote to memory of 27272	27216	net.exe	56
PID 1072 wrote to memory of 36088	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	58
PID 1072 wrote to memory of 36088	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	58
PID 1072 wrote to memory of 36088	1072	f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe	58
PID 36088 wrote to memory of 36112	36088	net.exe	60
PID 36088 wrote to memory of 36112	36088	net.exe	60
PID 36088 wrote to memory of 36112	36088	net.exe	60
PID 1140 wrote to memory of 46868	1140	taskhost.exe	61
PID 1140 wrote to memory of 46868	1140	taskhost.exe	61

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1724
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:27216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27272
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:46868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:46924

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe
"C:\Users\Admin\AppData\Local\Temp\f871e78adf4f918eed72ba7938c010f74197504f0a04febdb35a9f4f10c49605.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:292
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2024
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:27164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27188
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:27224
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27264
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:36088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:36112
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:46876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:46912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1140-54-0x000000013FCF0000-0x0000000140087000-memory.dmp

Filesize
3.6MB

Download
memory/1140-56-0x000000013FCF0000-0x0000000140087000-memory.dmp

Filesize
3.6MB

Download
memory/1252-58-0x000000013FCF0000-0x0000000140087000-memory.dmp

Filesize
3.6MB

Download