ryuk | bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9

Analysis

max time kernel
169s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Size

207KB
MD5

7899090dd1b61fc2d85b50473e500d8b
SHA1

9c972c2696d68d3d29726cdba061e31c51663c12
SHA256

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9
SHA512

b976e2f12bcb13ff10fb70338fac775356fb40ba36d11c40c72028c723d452e49128050dc30bac9d66e205162f2994d0f07aeb74a271fd494fd39cd1718b9c6b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5512 created 1884	5512	WerFault.exe	22
PID 5224 created 2820	5224	WerFault.exe	15
PID 5208 created 2640	5208	WerFault.exe	35

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4612	2640	WerFault.exe	35
2000	2820	WerFault.exe	15
5596	2640	WerFault.exe	35
4900	1884	WerFault.exe	22

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3784a334-4a56-42d5-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e7c23a02-b872-40bb-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005ac4c2f20b26d8015ac4c2f20b26d8015ac4c2f20b26d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054545d1d2000666334316531613961626566333839333562643065303962663537653039306235613238616237346434353835353861396461353036343566663537306235360000b20009000400efbe54545d1d54545d1d2e00000000000000000000000000000000000000000000000000a6c8c900660063003400310065003100610039006100620065006600330038003900330035006200640030006500300039006200660035003700650030003900300062003500610032003800610062003700340064003400350038003500350038006100390064006100350030003600340035006600660035003700300062003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000592f5451000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66633431653161396162656633383933356264306530396266353765303930623561323861623734643435383535386139646135303634356666353730623536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d6c8e39b499083ec1182d0de0fc891f8e3bad9b5dc40371b4eb595e9fc647d27d6c8e39b499083ec1182d0de0fc891f8e3ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\23f28542-9dab-4512-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3d175fbf-d3e1-4390-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\65f8d178-2eb7-46f5-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6444093-9932-4804-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9b4aa7ae-1e71-4983- = 665ad1f30b26d801	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
2112	sihost.exe
2112	sihost.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
2112	sihost.exe
2112	sihost.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
2112	sihost.exe
2112	sihost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Token: SeBackupPrivilege	2112	sihost.exe
Token: SeBackupPrivilege	2820	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1884	backgroundTaskHost.exe
Token: SeBackupPrivilege	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 2112	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	39
PID 3696 wrote to memory of 2128	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	12
PID 3696 wrote to memory of 2180	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	38
PID 3696 wrote to memory of 2436	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	36
PID 3696 wrote to memory of 2640	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	35
PID 3696 wrote to memory of 2820	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	15
PID 3696 wrote to memory of 2884	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	14
PID 3696 wrote to memory of 2972	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	34
PID 3696 wrote to memory of 2464	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	33
PID 3696 wrote to memory of 3384	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	31
PID 3696 wrote to memory of 828	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	27
PID 3696 wrote to memory of 1856	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	23
PID 3696 wrote to memory of 1884	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	22
PID 2112 wrote to memory of 2252	2112	sihost.exe	63
PID 2112 wrote to memory of 2252	2112	sihost.exe	63
PID 3696 wrote to memory of 1524	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	65
PID 3696 wrote to memory of 1524	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	65
PID 3696 wrote to memory of 3392	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	64
PID 3696 wrote to memory of 3392	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	64
PID 2112 wrote to memory of 2868	2112	sihost.exe	66
PID 2112 wrote to memory of 2868	2112	sihost.exe	66
PID 3696 wrote to memory of 5104	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	72
PID 3696 wrote to memory of 5104	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	72
PID 2640 wrote to memory of 4612	2640	DllHost.exe	71
PID 2640 wrote to memory of 4612	2640	DllHost.exe	71
PID 2868 wrote to memory of 2960	2868	net.exe	76
PID 2868 wrote to memory of 2960	2868	net.exe	76
PID 3392 wrote to memory of 5124	3392	net.exe	75
PID 3392 wrote to memory of 5124	3392	net.exe	75
PID 2252 wrote to memory of 3720	2252	net.exe	73
PID 2252 wrote to memory of 3720	2252	net.exe	73
PID 1524 wrote to memory of 5132	1524	net.exe	74
PID 1524 wrote to memory of 5132	1524	net.exe	74
PID 3696 wrote to memory of 5416	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	80
PID 3696 wrote to memory of 5416	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	80
PID 5416 wrote to memory of 5532	5416	net.exe	84
PID 5416 wrote to memory of 5532	5416	net.exe	84
PID 5104 wrote to memory of 5540	5104	net.exe	83
PID 5104 wrote to memory of 5540	5104	net.exe	83
PID 2112 wrote to memory of 5684	2112	sihost.exe	85
PID 2112 wrote to memory of 5684	2112	sihost.exe	85
PID 5684 wrote to memory of 5740	5684	net.exe	87
PID 5684 wrote to memory of 5740	5684	net.exe	87
PID 2112 wrote to memory of 5760	2112	sihost.exe	88
PID 2112 wrote to memory of 5760	2112	sihost.exe	88
PID 5760 wrote to memory of 5812	5760	net.exe	90
PID 5760 wrote to memory of 5812	5760	net.exe	90
PID 3696 wrote to memory of 5928	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	91
PID 3696 wrote to memory of 5928	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	91
PID 5928 wrote to memory of 5980	5928	net.exe	93
PID 5928 wrote to memory of 5980	5928	net.exe	93
PID 3696 wrote to memory of 6000	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	94
PID 3696 wrote to memory of 6000	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	94
PID 6000 wrote to memory of 6052	6000	net.exe	96
PID 6000 wrote to memory of 6052	6000	net.exe	96
PID 3696 wrote to memory of 6076	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	97
PID 3696 wrote to memory of 6076	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	97
PID 6076 wrote to memory of 6128	6076	net.exe	99
PID 6076 wrote to memory of 6128	6076	net.exe	99
PID 3696 wrote to memory of 5156	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	100
PID 3696 wrote to memory of 5156	3696	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	100
PID 5156 wrote to memory of 3876	5156	net.exe	102
PID 5156 wrote to memory of 3876	5156	net.exe	102
PID 5208 wrote to memory of 2640	5208	WerFault.exe	35

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2820 -s 3104
  2⤵
  - Program crash
  PID:2000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1884 -s 3344
  2⤵
  - Program crash
  PID:4900

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2640 -s 1020
  2⤵
  - Program crash
  PID:4612
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2640 -s 1020
  2⤵
  - Program crash
  PID:5596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2436

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2180

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3720
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2960
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5740
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5760
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5812
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:5572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5780
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6020

C:\Users\Admin\AppData\Local\Temp\bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
"C:\Users\Admin\AppData\Local\Temp\bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5124
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5132
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5540
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5532
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5980
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6128
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2640 -ip 2640
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2820 -ip 2820
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 1884 -ip 1884
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-130-0x00007FF60C870000-0x00007FF60CB4B000-memory.dmp

Filesize
2.9MB

Download
memory/2128-131-0x00007FF60C870000-0x00007FF60CB4B000-memory.dmp

Filesize
2.9MB

Download