ryuk | c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

Analysis

max time kernel
181s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Size

192KB
MD5

ac4845378d6e9585c758efeffe713857
SHA1

4febb67955fa4743db70dad7481702bb46f60d69
SHA256

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
SHA512

6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1600	pziWeTX.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	pziWeTX.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1828	icacls.exe
3840	icacls.exe
1120	icacls.exe
628	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pziWeTX.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
1600	pziWeTX.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
1600	pziWeTX.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeBackupPrivilege	1600	pziWeTX.exe
Token: SeBackupPrivilege	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: 36	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1600	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	84
PID 4200 wrote to memory of 1600	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	84
PID 4200 wrote to memory of 1600	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	84
PID 4200 wrote to memory of 2396	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	57
PID 4200 wrote to memory of 1816	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	85
PID 4200 wrote to memory of 1816	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	85
PID 4200 wrote to memory of 1816	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	85
PID 1816 wrote to memory of 2776	1816	net.exe	87
PID 1816 wrote to memory of 2776	1816	net.exe	87
PID 1816 wrote to memory of 2776	1816	net.exe	87
PID 4200 wrote to memory of 3452	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	88
PID 4200 wrote to memory of 3452	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	88
PID 4200 wrote to memory of 3452	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	88
PID 3452 wrote to memory of 3360	3452	net.exe	90
PID 3452 wrote to memory of 3360	3452	net.exe	90
PID 3452 wrote to memory of 3360	3452	net.exe	90
PID 4200 wrote to memory of 2424	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	19
PID 4200 wrote to memory of 2508	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	54
PID 4200 wrote to memory of 3104	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	22
PID 4200 wrote to memory of 3296	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	47
PID 4200 wrote to memory of 3396	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	46
PID 4200 wrote to memory of 3460	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	23
PID 4200 wrote to memory of 3544	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	45
PID 4200 wrote to memory of 3772	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	24
PID 4200 wrote to memory of 440	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	42
PID 4200 wrote to memory of 4344	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	28
PID 4200 wrote to memory of 2724	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	31
PID 1600 wrote to memory of 1828	1600	pziWeTX.exe	93
PID 1600 wrote to memory of 1828	1600	pziWeTX.exe	93
PID 1600 wrote to memory of 1828	1600	pziWeTX.exe	93
PID 4200 wrote to memory of 3840	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	94
PID 4200 wrote to memory of 3840	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	94
PID 4200 wrote to memory of 3840	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	94
PID 4200 wrote to memory of 628	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	105
PID 4200 wrote to memory of 628	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	105
PID 4200 wrote to memory of 628	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	105
PID 1600 wrote to memory of 1120	1600	pziWeTX.exe	104
PID 1600 wrote to memory of 1120	1600	pziWeTX.exe	104
PID 1600 wrote to memory of 1120	1600	pziWeTX.exe	104
PID 4200 wrote to memory of 2380	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	101
PID 4200 wrote to memory of 2380	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	101
PID 4200 wrote to memory of 2380	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	101
PID 1600 wrote to memory of 1108	1600	pziWeTX.exe	100
PID 1600 wrote to memory of 1108	1600	pziWeTX.exe	100
PID 1600 wrote to memory of 1108	1600	pziWeTX.exe	100
PID 4200 wrote to memory of 2228	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	102
PID 4200 wrote to memory of 2228	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	102
PID 4200 wrote to memory of 2228	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	102
PID 2228 wrote to memory of 4268	2228	net.exe	107
PID 2228 wrote to memory of 4268	2228	net.exe	107
PID 2228 wrote to memory of 4268	2228	net.exe	107
PID 4200 wrote to memory of 4300	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	108
PID 4200 wrote to memory of 4300	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	108
PID 4200 wrote to memory of 4300	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	108
PID 1600 wrote to memory of 848	1600	pziWeTX.exe	110
PID 1600 wrote to memory of 848	1600	pziWeTX.exe	110
PID 1600 wrote to memory of 848	1600	pziWeTX.exe	110
PID 848 wrote to memory of 1164	848	net.exe	112
PID 848 wrote to memory of 1164	848	net.exe	112
PID 848 wrote to memory of 1164	848	net.exe	112
PID 4300 wrote to memory of 1656	4300	cmd.exe	113
PID 4300 wrote to memory of 1656	4300	cmd.exe	113
PID 4300 wrote to memory of 1656	4300	cmd.exe	113
PID 2380 wrote to memory of 1872	2380	cmd.exe	114

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3296

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
"C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe
  "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1120
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" /f /reg:64
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:1768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3360
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4268
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:10228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads