ryuk | f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

Analysis

max time kernel
174s
max time network
84s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
Size

201KB
MD5

3f5da05d62a70eb1212db39d5d6cf45e
SHA1

369b0ba084ba65268d56019653d8edd37c4838f1
SHA256

f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31
SHA512

7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Score

10^/10

ryuk discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1116	bcdedit.exe
560	bcdedit.exe
1752	bcdedit.exe

Executes dropped EXE 1 IoCs

pid	Process
584	IfedwYM.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1512	icacls.exe
1836	icacls.exe
800	icacls.exe
1536	icacls.exe
1952	icacls.exe
968	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IfedwYM.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1120	vssadmin.exe
688	vssadmin.exe
976	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
584	IfedwYM.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
584	IfedwYM.exe
584	IfedwYM.exe
584	IfedwYM.exe
584	IfedwYM.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
584	IfedwYM.exe
584	IfedwYM.exe
1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe
1228	taskhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
Token: SeBackupPrivilege	1228	taskhost.exe
Token: SeBackupPrivilege	584	IfedwYM.exe
Token: SeBackupPrivilege	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemProfilePrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeProfSingleProcessPrivilege	2888	WMIC.exe
Token: SeIncBasePriorityPrivilege	2888	WMIC.exe
Token: SeCreatePagefilePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeDebugPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeRemoteShutdownPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: 33	2888	WMIC.exe
Token: 34	2888	WMIC.exe
Token: 35	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe
Token: 35	2188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2196	WMIC.exe
Token: SeSecurityPrivilege	2196	WMIC.exe
Token: SeTakeOwnershipPrivilege	2196	WMIC.exe
Token: SeLoadDriverPrivilege	2196	WMIC.exe
Token: SeSystemProfilePrivilege	2196	WMIC.exe
Token: SeSystemtimePrivilege	2196	WMIC.exe
Token: SeProfSingleProcessPrivilege	2196	WMIC.exe
Token: SeIncBasePriorityPrivilege	2196	WMIC.exe
Token: SeCreatePagefilePrivilege	2196	WMIC.exe
Token: SeBackupPrivilege	2196	WMIC.exe
Token: SeRestorePrivilege	2196	WMIC.exe
Token: SeShutdownPrivilege	2196	WMIC.exe
Token: SeDebugPrivilege	2196	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2196	WMIC.exe
Token: SeRemoteShutdownPrivilege	2196	WMIC.exe
Token: SeUndockPrivilege	2196	WMIC.exe
Token: SeManageVolumePrivilege	2196	WMIC.exe
Token: 33	2196	WMIC.exe
Token: 34	2196	WMIC.exe
Token: 35	2196	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 584	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	27
PID 1940 wrote to memory of 584	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	27
PID 1940 wrote to memory of 584	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	27
PID 1940 wrote to memory of 1228	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	11
PID 1940 wrote to memory of 1300	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	28
PID 1940 wrote to memory of 1300	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	28
PID 1940 wrote to memory of 1300	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	28
PID 1940 wrote to memory of 908	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	30
PID 1940 wrote to memory of 908	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	30
PID 1940 wrote to memory of 908	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	30
PID 1300 wrote to memory of 1388	1300	net.exe	33
PID 1300 wrote to memory of 1388	1300	net.exe	33
PID 1300 wrote to memory of 1388	1300	net.exe	33
PID 908 wrote to memory of 304	908	net.exe	32
PID 908 wrote to memory of 304	908	net.exe	32
PID 908 wrote to memory of 304	908	net.exe	32
PID 1940 wrote to memory of 1344	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	10
PID 1228 wrote to memory of 1836	1228	taskhost.exe	35
PID 1228 wrote to memory of 1836	1228	taskhost.exe	35
PID 1228 wrote to memory of 1836	1228	taskhost.exe	35
PID 1940 wrote to memory of 1512	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	34
PID 1940 wrote to memory of 1512	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	34
PID 1940 wrote to memory of 1512	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	34
PID 1228 wrote to memory of 800	1228	taskhost.exe	36
PID 1228 wrote to memory of 800	1228	taskhost.exe	36
PID 1228 wrote to memory of 800	1228	taskhost.exe	36
PID 1228 wrote to memory of 1068	1228	taskhost.exe	37
PID 1228 wrote to memory of 1068	1228	taskhost.exe	37
PID 1228 wrote to memory of 1068	1228	taskhost.exe	37
PID 584 wrote to memory of 1536	584	IfedwYM.exe	38
PID 584 wrote to memory of 1536	584	IfedwYM.exe	38
PID 584 wrote to memory of 1536	584	IfedwYM.exe	38
PID 584 wrote to memory of 1952	584	IfedwYM.exe	41
PID 584 wrote to memory of 1952	584	IfedwYM.exe	41
PID 584 wrote to memory of 1952	584	IfedwYM.exe	41
PID 584 wrote to memory of 1844	584	IfedwYM.exe	40
PID 584 wrote to memory of 1844	584	IfedwYM.exe	40
PID 584 wrote to memory of 1844	584	IfedwYM.exe	40
PID 584 wrote to memory of 1120	584	IfedwYM.exe	48
PID 584 wrote to memory of 1120	584	IfedwYM.exe	48
PID 584 wrote to memory of 1120	584	IfedwYM.exe	48
PID 1228 wrote to memory of 976	1228	taskhost.exe	47
PID 1228 wrote to memory of 976	1228	taskhost.exe	47
PID 1228 wrote to memory of 976	1228	taskhost.exe	47
PID 1940 wrote to memory of 968	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	45
PID 1940 wrote to memory of 968	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	45
PID 1940 wrote to memory of 968	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	45
PID 1940 wrote to memory of 1720	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	60
PID 1940 wrote to memory of 1720	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	60
PID 1940 wrote to memory of 1720	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	60
PID 1228 wrote to memory of 560	1228	taskhost.exe	59
PID 1228 wrote to memory of 560	1228	taskhost.exe	59
PID 1228 wrote to memory of 560	1228	taskhost.exe	59
PID 584 wrote to memory of 1116	584	IfedwYM.exe	57
PID 584 wrote to memory of 1116	584	IfedwYM.exe	57
PID 584 wrote to memory of 1116	584	IfedwYM.exe	57
PID 1228 wrote to memory of 912	1228	taskhost.exe	52
PID 1228 wrote to memory of 912	1228	taskhost.exe	52
PID 1228 wrote to memory of 912	1228	taskhost.exe	52
PID 1228 wrote to memory of 1616	1228	taskhost.exe	80
PID 1228 wrote to memory of 1616	1228	taskhost.exe	80
PID 1228 wrote to memory of 1616	1228	taskhost.exe	80
PID 1940 wrote to memory of 688	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	79
PID 1940 wrote to memory of 688	1940	f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe	79

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1836
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:800
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:1068
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
  2⤵
  PID:912
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2896
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:560
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1616

C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe
"C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe
  "C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\system32\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1536
- - C:\Windows\system32\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    PID:1844
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2888
- - C:\Windows\system32\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1952
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1120
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1116
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:2872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1496
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe" /f
    3⤵
    PID:12684
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IfedwYM.exe" /f
      4⤵
      Adds Run key to start application
      PID:13200
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1388
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:304
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1512
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:968
- C:\Windows\system32\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:1720
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe" /f
  2⤵
  PID:1028
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2988
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No & bcdedit /set {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2928
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:688
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:15908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
1⤵
PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-58-0x000000013F360000-0x000000013F4D4000-memory.dmp

Filesize
1.5MB

Download
memory/1228-60-0x000000013F360000-0x000000013F4D4000-memory.dmp

Filesize
1.5MB

Download
memory/1344-61-0x000000013F360000-0x000000013F4D4000-memory.dmp

Filesize
1.5MB

Download
memory/1940-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download