ryuk | b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d

Analysis

max time kernel
165s
max time network
208s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
Size

121KB
MD5

6230b3044d91004700121402341d9bc6
SHA1

d98bd8631a432e1c5e5d091fd4085901a8935972
SHA256

b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d
SHA512

1a9afa17b70f5d6976cb61fadd418a6481ed605fb7813575ff02bad45099c1460933ffeafe60c6545a0fe1ca3943c32a0e7d668bb14093bc6520a5cace9373bd

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'HrP7O1qDZDw'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
468	QMSnnPhvvrep.exe
1840	tegAdYlqFlan.exe
1636	iZizWujgglan.exe

Loads dropped DLL 6 IoCs

pid	Process
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
38516	icacls.exe
38524	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\RyukReadMe.html	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 468	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	27
PID 628 wrote to memory of 468	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	27
PID 628 wrote to memory of 468	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	27
PID 628 wrote to memory of 468	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	27
PID 628 wrote to memory of 1840	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	30
PID 628 wrote to memory of 1840	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	30
PID 628 wrote to memory of 1840	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	30
PID 628 wrote to memory of 1840	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	30
PID 628 wrote to memory of 1636	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	31
PID 628 wrote to memory of 1636	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	31
PID 628 wrote to memory of 1636	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	31
PID 628 wrote to memory of 1636	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	31
PID 628 wrote to memory of 38516	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	32
PID 628 wrote to memory of 38516	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	32
PID 628 wrote to memory of 38516	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	32
PID 628 wrote to memory of 38516	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	32
PID 628 wrote to memory of 38524	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	33
PID 628 wrote to memory of 38524	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	33
PID 628 wrote to memory of 38524	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	33
PID 628 wrote to memory of 38524	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	33
PID 628 wrote to memory of 129040	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	36
PID 628 wrote to memory of 129040	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	36
PID 628 wrote to memory of 129040	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	36
PID 628 wrote to memory of 129040	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	36
PID 628 wrote to memory of 129072	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	38
PID 628 wrote to memory of 129072	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	38
PID 628 wrote to memory of 129072	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	38
PID 628 wrote to memory of 129072	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	38
PID 628 wrote to memory of 129476	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	40
PID 628 wrote to memory of 129476	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	40
PID 628 wrote to memory of 129476	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	40
PID 628 wrote to memory of 129476	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	40
PID 628 wrote to memory of 129488	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	39
PID 628 wrote to memory of 129488	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	39
PID 628 wrote to memory of 129488	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	39
PID 628 wrote to memory of 129488	628	b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe	39
PID 129040 wrote to memory of 130596	129040	net.exe	44
PID 129040 wrote to memory of 130596	129040	net.exe	44
PID 129040 wrote to memory of 130596	129040	net.exe	44
PID 129040 wrote to memory of 130596	129040	net.exe	44
PID 129488 wrote to memory of 131940	129488	net.exe	47
PID 129488 wrote to memory of 131940	129488	net.exe	47
PID 129488 wrote to memory of 131940	129488	net.exe	47
PID 129488 wrote to memory of 131940	129488	net.exe	47
PID 129072 wrote to memory of 131948	129072	net.exe	46
PID 129072 wrote to memory of 131948	129072	net.exe	46
PID 129072 wrote to memory of 131948	129072	net.exe	46
PID 129072 wrote to memory of 131948	129072	net.exe	46
PID 129476 wrote to memory of 132028	129476	net.exe	45
PID 129476 wrote to memory of 132028	129476	net.exe	45
PID 129476 wrote to memory of 132028	129476	net.exe	45
PID 129476 wrote to memory of 132028	129476	net.exe	45

C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe
"C:\Users\Admin\AppData\Local\Temp\b53e77ab55abf1c7cc68a06e6260810948444cefe57b306febfed7e1f6c7619d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe
  "C:\Users\Admin\AppData\Local\Temp\QMSnnPhvvrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe
  "C:\Users\Admin\AppData\Local\Temp\tegAdYlqFlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe
  "C:\Users\Admin\AppData\Local\Temp\iZizWujgglan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:38516
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:38524
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:129040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:130596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:129072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:131948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:129488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:131940
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:129476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:132028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download