ryuk | cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c

Analysis

max time kernel
184s
max time network
141s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Size

204KB
MD5

b2a8e087a58b7ae25ac3c85f8d468ebb
SHA1

d3d39b86f3fafde2c21f4d304a04ad579965f19e
SHA256

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c
SHA512

032a2b686215d1c108397c8af88420550fb9e5cb0d91d24539a3d9385dae816dbc45f409372cb3056e87fd23c32fed0469a27e7c4f48398c3c7108ce8e376c0b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 60 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1260	taskhost.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1260	taskhost.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1260	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Token: SeBackupPrivilege	1260	taskhost.exe
Token: SeBackupPrivilege	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 1260	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	9
PID 268 wrote to memory of 1252	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	27
PID 268 wrote to memory of 1252	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	27
PID 268 wrote to memory of 1252	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	27
PID 268 wrote to memory of 1644	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	29
PID 268 wrote to memory of 1644	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	29
PID 268 wrote to memory of 1644	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	29
PID 268 wrote to memory of 1352	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	8
PID 1644 wrote to memory of 592	1644	net.exe	32
PID 1644 wrote to memory of 592	1644	net.exe	32
PID 1644 wrote to memory of 592	1644	net.exe	32
PID 1252 wrote to memory of 1840	1252	net.exe	31
PID 1252 wrote to memory of 1840	1252	net.exe	31
PID 1252 wrote to memory of 1840	1252	net.exe	31
PID 268 wrote to memory of 1088	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	33
PID 268 wrote to memory of 1088	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	33
PID 268 wrote to memory of 1088	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	33
PID 1260 wrote to memory of 1696	1260	taskhost.exe	35
PID 1260 wrote to memory of 1696	1260	taskhost.exe	35
PID 1260 wrote to memory of 1696	1260	taskhost.exe	35
PID 1088 wrote to memory of 1552	1088	net.exe	37
PID 1088 wrote to memory of 1552	1088	net.exe	37
PID 1088 wrote to memory of 1552	1088	net.exe	37
PID 1696 wrote to memory of 1820	1696	net.exe	39
PID 1696 wrote to memory of 1820	1696	net.exe	39
PID 1696 wrote to memory of 1820	1696	net.exe	39
PID 268 wrote to memory of 10036	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	41
PID 268 wrote to memory of 10036	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	41
PID 268 wrote to memory of 10036	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	41
PID 10036 wrote to memory of 10060	10036	net.exe	43
PID 10036 wrote to memory of 10060	10036	net.exe	43
PID 10036 wrote to memory of 10060	10036	net.exe	43
PID 268 wrote to memory of 10328	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	44
PID 268 wrote to memory of 10328	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	44
PID 268 wrote to memory of 10328	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	44
PID 1260 wrote to memory of 10344	1260	taskhost.exe	46
PID 1260 wrote to memory of 10344	1260	taskhost.exe	46
PID 1260 wrote to memory of 10344	1260	taskhost.exe	46
PID 10328 wrote to memory of 10376	10328	net.exe	48
PID 10328 wrote to memory of 10376	10328	net.exe	48
PID 10328 wrote to memory of 10376	10328	net.exe	48
PID 10344 wrote to memory of 10384	10344	net.exe	49
PID 10344 wrote to memory of 10384	10344	net.exe	49
PID 10344 wrote to memory of 10384	10344	net.exe	49
PID 268 wrote to memory of 16580	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	50
PID 268 wrote to memory of 16580	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	50
PID 268 wrote to memory of 16580	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	50
PID 16580 wrote to memory of 16604	16580	net.exe	52
PID 16580 wrote to memory of 16604	16580	net.exe	52
PID 16580 wrote to memory of 16604	16580	net.exe	52
PID 1260 wrote to memory of 16692	1260	taskhost.exe	53
PID 1260 wrote to memory of 16692	1260	taskhost.exe	53
PID 1260 wrote to memory of 16692	1260	taskhost.exe	53
PID 268 wrote to memory of 16708	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	55
PID 268 wrote to memory of 16708	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	55
PID 268 wrote to memory of 16708	268	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	55
PID 16708 wrote to memory of 16740	16708	net.exe	57
PID 16708 wrote to memory of 16740	16708	net.exe	57
PID 16708 wrote to memory of 16740	16708	net.exe	57
PID 16692 wrote to memory of 16748	16692	net.exe	58
PID 16692 wrote to memory of 16748	16692	net.exe	58
PID 16692 wrote to memory of 16748	16692	net.exe	58

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1352

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1820
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10384
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16748

C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
"C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1840
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1552
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10376
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16580
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16604
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1260-55-0x000000013FF80000-0x000000014025A000-memory.dmp

Filesize
2.9MB

Download
memory/1260-57-0x000000013FF80000-0x000000014025A000-memory.dmp

Filesize
2.9MB

Download
memory/1352-58-0x000000013FF80000-0x000000014025A000-memory.dmp

Filesize
2.9MB

Download