ryuk | df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591

Analysis

max time kernel
173s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
Size

208KB
MD5

b73d6af47bd63b87953279100d7baa00
SHA1

6797dbc139b45701dba1f9d13230935eb1c4f187
SHA256

df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591
SHA512

f87f8b6488309c0ac199df40bdc4b740f0a20ba6488a8cb980b00b5f2599fdab3b233e0d97d1c9db6c1563929e8ee6a28cc0d032d2458cbce4f102826cc77b0e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
1220	taskhost.exe
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
1220	taskhost.exe
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
1220	taskhost.exe
952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
Token: SeBackupPrivilege	1220	taskhost.exe
Token: SeBackupPrivilege	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1220	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	12
PID 952 wrote to memory of 1412	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	27
PID 952 wrote to memory of 1412	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	27
PID 952 wrote to memory of 1412	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	27
PID 952 wrote to memory of 1124	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	29
PID 952 wrote to memory of 1124	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	29
PID 952 wrote to memory of 1124	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	29
PID 952 wrote to memory of 1312	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	13
PID 1412 wrote to memory of 1496	1412	net.exe	32
PID 1412 wrote to memory of 1496	1412	net.exe	32
PID 1412 wrote to memory of 1496	1412	net.exe	32
PID 1124 wrote to memory of 1040	1124	net.exe	31
PID 1124 wrote to memory of 1040	1124	net.exe	31
PID 1124 wrote to memory of 1040	1124	net.exe	31
PID 1220 wrote to memory of 1832	1220	taskhost.exe	34
PID 1220 wrote to memory of 1832	1220	taskhost.exe	34
PID 1220 wrote to memory of 1832	1220	taskhost.exe	34
PID 1832 wrote to memory of 1756	1832	net.exe	35
PID 1832 wrote to memory of 1756	1832	net.exe	35
PID 1832 wrote to memory of 1756	1832	net.exe	35
PID 1220 wrote to memory of 1636	1220	taskhost.exe	36
PID 1220 wrote to memory of 1636	1220	taskhost.exe	36
PID 1220 wrote to memory of 1636	1220	taskhost.exe	36
PID 1636 wrote to memory of 1536	1636	net.exe	38
PID 1636 wrote to memory of 1536	1636	net.exe	38
PID 1636 wrote to memory of 1536	1636	net.exe	38
PID 952 wrote to memory of 1932	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	39
PID 952 wrote to memory of 1932	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	39
PID 952 wrote to memory of 1932	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	39
PID 1932 wrote to memory of 992	1932	net.exe	41
PID 1932 wrote to memory of 992	1932	net.exe	41
PID 1932 wrote to memory of 992	1932	net.exe	41
PID 952 wrote to memory of 1836	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	42
PID 952 wrote to memory of 1836	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	42
PID 952 wrote to memory of 1836	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	42
PID 1836 wrote to memory of 1976	1836	net.exe	44
PID 1836 wrote to memory of 1976	1836	net.exe	44
PID 1836 wrote to memory of 1976	1836	net.exe	44
PID 952 wrote to memory of 5220	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	47
PID 952 wrote to memory of 5220	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	47
PID 952 wrote to memory of 5220	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	47
PID 5220 wrote to memory of 5244	5220	net.exe	49
PID 5220 wrote to memory of 5244	5220	net.exe	49
PID 5220 wrote to memory of 5244	5220	net.exe	49
PID 1220 wrote to memory of 5288	1220	taskhost.exe	50
PID 1220 wrote to memory of 5288	1220	taskhost.exe	50
PID 1220 wrote to memory of 5288	1220	taskhost.exe	50
PID 5288 wrote to memory of 5312	5288	net.exe	52
PID 5288 wrote to memory of 5312	5288	net.exe	52
PID 5288 wrote to memory of 5312	5288	net.exe	52
PID 952 wrote to memory of 5324	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	53
PID 952 wrote to memory of 5324	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	53
PID 952 wrote to memory of 5324	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	53
PID 5324 wrote to memory of 5348	5324	net.exe	55
PID 5324 wrote to memory of 5348	5324	net.exe	55
PID 5324 wrote to memory of 5348	5324	net.exe	55
PID 952 wrote to memory of 16768	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	56
PID 952 wrote to memory of 16768	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	56
PID 952 wrote to memory of 16768	952	df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe	56
PID 16768 wrote to memory of 16792	16768	net.exe	58
PID 16768 wrote to memory of 16792	16768	net.exe	58
PID 16768 wrote to memory of 16792	16768	net.exe	58
PID 1220 wrote to memory of 16808	1220	taskhost.exe	59
PID 1220 wrote to memory of 16808	1220	taskhost.exe	59

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1756
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1536
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5312
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:16808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe
"C:\Users\Admin\AppData\Local\Temp\df3d947eb72a7b10f90222ae5a0aab0aade66f0bc1d3812c1b0366e6e8456591.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1496
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1040
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1976
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5244
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5348
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:16844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-56-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1220-55-0x000000013FA30000-0x000000013FD0C000-memory.dmp

Filesize
2.9MB

Download
memory/1220-57-0x000000013FA30000-0x000000013FD0C000-memory.dmp

Filesize
2.9MB

Download
memory/1312-59-0x000000013FA30000-0x000000013FD0C000-memory.dmp

Filesize
2.9MB

Download