ryuk | 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841

General

Target

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
Size

171KB
MD5

d92a64dce52edbbf70f9a5ebd25600be
SHA1

7e0a7323d4ba0454e6d54c4746dbac8373af9d0d
SHA256

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841
SHA512

a629f2c4e38b4ee3a357f24da3f5e5310081bb46617f5e67a634e6308ce946860701879a114852eb2dc30d7d5696bcf01df9715cd3f689c2b19f879701600471

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 47 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

pid	process
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

description	pid	process
Token: SeDebugPrivilege	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
Token: SeBackupPrivilege	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 960 wrote to memory of 1108	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	taskhost.exe
PID 960 wrote to memory of 1176	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	Dwm.exe
PID 960 wrote to memory of 1092	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1092	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1092	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1092	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 1092 wrote to memory of 1652	1092	net.exe	net1.exe
PID 1092 wrote to memory of 1652	1092	net.exe	net1.exe
PID 1092 wrote to memory of 1652	1092	net.exe	net1.exe
PID 1092 wrote to memory of 1652	1092	net.exe	net1.exe
PID 960 wrote to memory of 1136	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1136	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1136	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1136	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 1136 wrote to memory of 624	1136	net.exe	net1.exe
PID 1136 wrote to memory of 624	1136	net.exe	net1.exe
PID 1136 wrote to memory of 624	1136	net.exe	net1.exe
PID 1136 wrote to memory of 624	1136	net.exe	net1.exe
PID 960 wrote to memory of 1804	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1804	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1804	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 1804	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 1804 wrote to memory of 1068	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1068	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1068	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1068	1804	net.exe	net1.exe
PID 960 wrote to memory of 2096	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 2096	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 2096	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 2096	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 2096 wrote to memory of 2208	2096	net.exe	net1.exe
PID 2096 wrote to memory of 2208	2096	net.exe	net1.exe
PID 2096 wrote to memory of 2208	2096	net.exe	net1.exe
PID 2096 wrote to memory of 2208	2096	net.exe	net1.exe
PID 960 wrote to memory of 18428	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18428	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18428	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18428	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 18428 wrote to memory of 18456	18428	net.exe	net1.exe
PID 18428 wrote to memory of 18456	18428	net.exe	net1.exe
PID 18428 wrote to memory of 18456	18428	net.exe	net1.exe
PID 18428 wrote to memory of 18456	18428	net.exe	net1.exe
PID 960 wrote to memory of 18468	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18468	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18468	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18468	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 18468 wrote to memory of 18496	18468	net.exe	net1.exe
PID 18468 wrote to memory of 18496	18468	net.exe	net1.exe
PID 18468 wrote to memory of 18496	18468	net.exe	net1.exe
PID 18468 wrote to memory of 18496	18468	net.exe	net1.exe
PID 960 wrote to memory of 18540	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18540	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18540	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18540	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 18540 wrote to memory of 18564	18540	net.exe	net1.exe
PID 18540 wrote to memory of 18564	18540	net.exe	net1.exe
PID 18540 wrote to memory of 18564	18540	net.exe	net1.exe
PID 18540 wrote to memory of 18564	18540	net.exe	net1.exe
PID 960 wrote to memory of 18584	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18584	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18584	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 960 wrote to memory of 18584	960	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	net.exe
PID 18584 wrote to memory of 18608	18584	net.exe	net1.exe
PID 18584 wrote to memory of 18608	18584	net.exe	net1.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
"C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1652
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18456
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:18608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000030000000-0x000000003038A000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads