ryuk | cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c

Analysis

max time kernel
191s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Size

204KB
MD5

b2a8e087a58b7ae25ac3c85f8d468ebb
SHA1

d3d39b86f3fafde2c21f4d304a04ad579965f19e
SHA256

cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c
SHA512

032a2b686215d1c108397c8af88420550fb9e5cb0d91d24539a3d9385dae816dbc45f409372cb3056e87fd23c32fed0469a27e7c4f48398c3c7108ce8e376c0b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4916 created 2592	4916	WerFault.exe	59

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4696	2620	WerFault.exe	32
4704	2592	WerFault.exe	59

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003591ee950826d80190f299990826d80190f299990826d80124b206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054545a1a2000623637366339313136623964326231626335373038396635323263653362353262396136633035363430366232303265363738376235303136653963316565370000b20009000400efbe54545a1a54545a1a2e000000000000000000000000000000000000000000000000004d053f00620036003700360063003900310031003600620039006400320062003100620063003500370030003800390066003500320032006300650033006200350032006200390061003600630030003500360034003000360062003200300032006500360037003800370062003500300031003600650039006300310065006500370000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007f5945cf1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c62363736633931313662396432623162633537303839663532326365336235326239613663303536343036623230326536373837623530313665396331656537000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d60992324a9083ec1182d0e6101b3923d5bad9b5dc40371b4eb595e9fc647d27d60992324a9083ec1182d0e6101b3923d5ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{1377E13F-070D-4F09-ABB9-EE3005778683}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = 6282229d0826d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\b676c9116b9d2b1bc57089f522ce3b52b9a6c056406b202e6787b5016e9c1ee7"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4718f333-f7f5-44f8-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
2096	sihost.exe
2096	sihost.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
2096	sihost.exe
2096	sihost.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
4704	WerFault.exe
4704	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Token: SeBackupPrivilege	2096	sihost.exe
Token: SeBackupPrivilege	2728	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	2592	BackgroundTransferHost.exe
Token: SeBackupPrivilege	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
Token: SeShutdownPrivilege	2888	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5224	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2096	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	37
PID 1928 wrote to memory of 2112	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	36
PID 1928 wrote to memory of 2156	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	35
PID 1928 wrote to memory of 2416	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	33
PID 1928 wrote to memory of 2620	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	32
PID 1928 wrote to memory of 2728	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	31
PID 1928 wrote to memory of 2888	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	30
PID 1928 wrote to memory of 3032	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	29
PID 1928 wrote to memory of 3108	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	28
PID 1928 wrote to memory of 3460	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	26
PID 1928 wrote to memory of 2880	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	22
PID 1928 wrote to memory of 3300	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	21
PID 1928 wrote to memory of 2912	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	20
PID 1928 wrote to memory of 2592	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	59
PID 2620 wrote to memory of 4696	2620	DllHost.exe	64
PID 2620 wrote to memory of 4696	2620	DllHost.exe	64
PID 2096 wrote to memory of 5116	2096	sihost.exe	65
PID 2096 wrote to memory of 5116	2096	sihost.exe	65
PID 2096 wrote to memory of 4456	2096	sihost.exe	68
PID 2096 wrote to memory of 4456	2096	sihost.exe	68
PID 1928 wrote to memory of 5232	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	73
PID 1928 wrote to memory of 5232	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	73
PID 1928 wrote to memory of 5240	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	72
PID 1928 wrote to memory of 5240	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	72
PID 4456 wrote to memory of 5260	4456	net.exe	82
PID 4456 wrote to memory of 5260	4456	net.exe	82
PID 5116 wrote to memory of 5272	5116	net.exe	80
PID 5116 wrote to memory of 5272	5116	net.exe	80
PID 1928 wrote to memory of 5296	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	78
PID 1928 wrote to memory of 5296	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	78
PID 1928 wrote to memory of 5304	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	75
PID 1928 wrote to memory of 5304	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	75
PID 5240 wrote to memory of 5524	5240	net.exe	83
PID 5240 wrote to memory of 5524	5240	net.exe	83
PID 5296 wrote to memory of 5512	5296	net.exe	86
PID 5296 wrote to memory of 5512	5296	net.exe	86
PID 5304 wrote to memory of 5572	5304	net.exe	85
PID 5304 wrote to memory of 5572	5304	net.exe	85
PID 5232 wrote to memory of 5580	5232	net.exe	84
PID 5232 wrote to memory of 5580	5232	net.exe	84
PID 4916 wrote to memory of 2592	4916	WerFault.exe	59
PID 4916 wrote to memory of 2592	4916	WerFault.exe	59
PID 1928 wrote to memory of 5548	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	88
PID 2096 wrote to memory of 5540	2096	sihost.exe	87
PID 1928 wrote to memory of 5548	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	88
PID 2096 wrote to memory of 5540	2096	sihost.exe	87
PID 1928 wrote to memory of 5536	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	92
PID 1928 wrote to memory of 5536	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	92
PID 2096 wrote to memory of 708	2096	sihost.exe	93
PID 2096 wrote to memory of 708	2096	sihost.exe	93
PID 1928 wrote to memory of 724	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	95
PID 1928 wrote to memory of 724	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	95
PID 1928 wrote to memory of 5500	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	96
PID 1928 wrote to memory of 5500	1928	cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe	96
PID 5536 wrote to memory of 5640	5536	net.exe	99
PID 5536 wrote to memory of 5640	5536	net.exe	99
PID 5540 wrote to memory of 5660	5540	net.exe	100
PID 5540 wrote to memory of 5660	5540	net.exe	100
PID 5548 wrote to memory of 5648	5548	net.exe	101
PID 5548 wrote to memory of 5648	5548	net.exe	101
PID 724 wrote to memory of 320	724	net.exe	103
PID 724 wrote to memory of 320	724	net.exe	103
PID 708 wrote to memory of 1980	708	net.exe	102
PID 708 wrote to memory of 1980	708	net.exe	102

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2912

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2620 -s 940
  2⤵
  - Program crash
  PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2416

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2112

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5272
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5540
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5660
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1980

C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe
"C:\Users\Admin\AppData\Local\Temp\cb755ecf4367d3934c8a1e54ff314890de72db3e54f037acdbf20cb82ee7272c.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5524
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5580
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5572
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5512
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5648
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5640
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:320
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3856

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2592 -s 1100
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 2592 -ip 2592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:4920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-130-0x00007FF67D600000-0x00007FF67D8DA000-memory.dmp

Filesize
2.9MB

Download
memory/2112-131-0x00007FF67D600000-0x00007FF67D8DA000-memory.dmp

Filesize
2.9MB

Download
memory/2620-199-0x0000025991890000-0x0000025991898000-memory.dmp

Filesize
32KB

Download
memory/2620-200-0x0000025991880000-0x0000025991881000-memory.dmp

Filesize
4KB

Download