ryuk | a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622

Analysis

max time kernel
190s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Size

208KB
MD5

fb61f86d2ea604337ff2da9aaf4585c6
SHA1

c5c63525bda35a317348adf7f2bd7eae9dee6de8
SHA256

a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622
SHA512

a8f03d7c63f974556b9c7a2ec12ddc14b7f6124f8ec74520afb0a00e124fc932f07050d1ae64d5be600d08bc5f518a7c458d5ae4813234c32e6ed6b3a982bc69

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5232 created 2916	5232	WerFault.exe	30
PID 5372 created 1720	5372	WerFault.exe	11

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4808	2740	WerFault.exe	32
5828	2916	WerFault.exe	30
5820	1720	WerFault.exe	11

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006f0a9ab31426d801a6a17bb71426d801a6a17bb71426d801e78e08000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454af252000373732626338623330613061376237373337343232613632306536333634663434623532353539313835306664396333613537313132393563626235396666340000b20009000400efbe5454af255454af252e00000000000000000000000000000000000000000000000000acc47e00370037003200620063003800620033003000610030006100370062003700370033003700340032003200610036003200300065003600330036003400660034003400620035003200350035003900310038003500300066006400390063003300610035003700310031003200390035006300620062003500390066006600340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000dd3c6761000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37373262633862333061306137623737333734323261363230653633363466343462353235353931383530666439633361353731313239356362623539666634000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d687fb99499083ec1182d072fc3795919bbad9b5dc40371b4eb595e9fc647d27d687fb99499083ec1182d072fc3795919bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = 905f85c41426d801	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = 8a6b2dc31426d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\772bc8b30a0a7b7737422a620e6364f44b525591850fd9c3a5711295cbb59ff4"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000435989b31426d801ad7783bb1426d801ad7783bb1426d8016f7309000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454af252000613439323131633833616662313164653134323636363662376332343139373263623334643939373135643633353837396136646363373333316161323939610000b20009000400efbe5454af255454af252e000000000000000000000000000000000000000000000000000e278100610034003900320031003100630038003300610066006200310031006400650031003400320036003600360036006200370063003200340031003900370032006300620033003400640039003900370031003500640036003300350038003700390061003600640063006300370033003300310061006100320039003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000000dd3c6761000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c61343932313163383361666231316465313432363636366237633234313937326362333464393937313564363335383739613664636337333331616132393961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d688fb99499083ec1182d072fc3795919bbad9b5dc40371b4eb595e9fc647d27d688fb99499083ec1182d072fc3795919bce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6a1247a8-6ad6-4a7f-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\76e95318-de76-43e0-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e3912f5e-bd65-48e7-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9be0e0bd-6c00-41f6- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\a49211c83afb11de1426666b7c241972cb34d99715d635879a6dcc7331aa299a"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ce1db9a6-b422-49e2-	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\38830855-1fde-4809-	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
2224	sihost.exe
2224	sihost.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
2224	sihost.exe
2224	sihost.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
5820	WerFault.exe
5820	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe
4808	WerFault.exe
4808	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
Token: SeBackupPrivilege	2224	sihost.exe
Token: SeShutdownPrivilege	2980	RuntimeBroker.exe
Token: SeBackupPrivilege	2916	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1720	BackgroundTransferHost.exe
Token: SeBackupPrivilege	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2224	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	37
PID 3472 wrote to memory of 2244	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	36
PID 3472 wrote to memory of 2296	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	35
PID 3472 wrote to memory of 2536	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	33
PID 3472 wrote to memory of 2740	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	32
PID 3472 wrote to memory of 2916	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	30
PID 3472 wrote to memory of 2980	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	9
PID 3472 wrote to memory of 3068	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	29
PID 3472 wrote to memory of 2772	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	28
PID 3472 wrote to memory of 3496	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	26
PID 3472 wrote to memory of 2924	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	22
PID 3472 wrote to memory of 1720	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	11
PID 2740 wrote to memory of 4808	2740	DllHost.exe	60
PID 2740 wrote to memory of 4808	2740	DllHost.exe	60
PID 2224 wrote to memory of 2480	2224	sihost.exe	62
PID 2224 wrote to memory of 2480	2224	sihost.exe	62
PID 2224 wrote to memory of 2496	2224	sihost.exe	64
PID 2224 wrote to memory of 2496	2224	sihost.exe	64
PID 3472 wrote to memory of 3024	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	67
PID 3472 wrote to memory of 3024	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	67
PID 3472 wrote to memory of 1424	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	66
PID 3472 wrote to memory of 1424	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	66
PID 3024 wrote to memory of 3892	3024	net.exe	72
PID 2480 wrote to memory of 3516	2480	net.exe	73
PID 3024 wrote to memory of 3892	3024	net.exe	72
PID 2480 wrote to memory of 3516	2480	net.exe	73
PID 1424 wrote to memory of 3444	1424	net.exe	71
PID 1424 wrote to memory of 3444	1424	net.exe	71
PID 2496 wrote to memory of 2220	2496	net.exe	70
PID 2496 wrote to memory of 2220	2496	net.exe	70
PID 3472 wrote to memory of 4980	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	74
PID 3472 wrote to memory of 4980	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	74
PID 3472 wrote to memory of 5132	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	75
PID 3472 wrote to memory of 5132	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	75
PID 4980 wrote to memory of 5252	4980	net.exe	79
PID 4980 wrote to memory of 5252	4980	net.exe	79
PID 5132 wrote to memory of 5260	5132	net.exe	80
PID 5132 wrote to memory of 5260	5132	net.exe	80
PID 5232 wrote to memory of 2916	5232	WerFault.exe	30
PID 5232 wrote to memory of 2916	5232	WerFault.exe	30
PID 5372 wrote to memory of 1720	5372	WerFault.exe	11
PID 5372 wrote to memory of 1720	5372	WerFault.exe	11
PID 2224 wrote to memory of 5648	2224	sihost.exe	84
PID 2224 wrote to memory of 5648	2224	sihost.exe	84
PID 5648 wrote to memory of 5708	5648	net.exe	86
PID 5648 wrote to memory of 5708	5648	net.exe	86
PID 2224 wrote to memory of 5728	2224	sihost.exe	87
PID 2224 wrote to memory of 5728	2224	sihost.exe	87
PID 5728 wrote to memory of 5780	5728	net.exe	89
PID 5728 wrote to memory of 5780	5728	net.exe	89
PID 3472 wrote to memory of 6020	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	93
PID 3472 wrote to memory of 6020	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	93
PID 3472 wrote to memory of 6028	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	92
PID 3472 wrote to memory of 6028	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	92
PID 6028 wrote to memory of 6104	6028	net.exe	96
PID 6028 wrote to memory of 6104	6028	net.exe	96
PID 6020 wrote to memory of 6116	6020	net.exe	97
PID 6020 wrote to memory of 6116	6020	net.exe	97
PID 3472 wrote to memory of 3784	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	98
PID 3472 wrote to memory of 5124	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	99
PID 3472 wrote to memory of 5124	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	99
PID 3472 wrote to memory of 3784	3472	a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe	98
PID 5124 wrote to memory of 3900	5124	net.exe	103
PID 3784 wrote to memory of 4552	3784	net.exe	102

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1720 -s 1264
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3068

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2916 -s 2804
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2740 -s 1004
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2536

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3516
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2220
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5780

C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe
"C:\Users\Admin\AppData\Local\Temp\a93ebb14d2792370f7009b9accdc6901c90d4bdc5811c91002d19a6364825622.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3444
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5252
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5260
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6104
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4552
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2916 -ip 2916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1720 -ip 1720
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-130-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

Filesize
2.9MB

Download
memory/2244-131-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

Filesize
2.9MB

Download
memory/3496-132-0x00007FF7496B0000-0x00007FF74998C000-memory.dmp

Filesize
2.9MB

Download