ryuk | 8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0

Analysis

max time kernel
169s
max time network
159s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
Size

206KB
MD5

0b8e9a08a7589c90266cf4cc724614f9
SHA1

eed7f84bbaa034d377cbb1f394c7b8c27f3fbd4a
SHA256

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0
SHA512

fc7df8d676f07251113636954b9b97e648bdaaee22412cb7fb92ae270944759f852c77d226c0227dc0c5e4a7c10d2e1ce16c60a095427a5ae503c293856c2dad

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 60 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1128	taskhost.exe
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1128	taskhost.exe
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
1128	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
Token: SeBackupPrivilege	1128	taskhost.exe
Token: SeBackupPrivilege	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1128	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	15
PID 1576 wrote to memory of 1196	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	14
PID 1576 wrote to memory of 772	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	27
PID 1576 wrote to memory of 772	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	27
PID 1576 wrote to memory of 772	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	27
PID 1576 wrote to memory of 676	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	29
PID 1576 wrote to memory of 676	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	29
PID 1576 wrote to memory of 676	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	29
PID 676 wrote to memory of 1736	676	net.exe	32
PID 676 wrote to memory of 1736	676	net.exe	32
PID 676 wrote to memory of 1736	676	net.exe	32
PID 772 wrote to memory of 1732	772	net.exe	31
PID 772 wrote to memory of 1732	772	net.exe	31
PID 772 wrote to memory of 1732	772	net.exe	31
PID 1128 wrote to memory of 796	1128	taskhost.exe	36
PID 1128 wrote to memory of 796	1128	taskhost.exe	36
PID 1128 wrote to memory of 796	1128	taskhost.exe	36
PID 1576 wrote to memory of 1476	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	33
PID 1576 wrote to memory of 1476	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	33
PID 1576 wrote to memory of 1476	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	33
PID 796 wrote to memory of 1112	796	net.exe	37
PID 796 wrote to memory of 1112	796	net.exe	37
PID 796 wrote to memory of 1112	796	net.exe	37
PID 1476 wrote to memory of 2052	1476	net.exe	38
PID 1476 wrote to memory of 2052	1476	net.exe	38
PID 1476 wrote to memory of 2052	1476	net.exe	38
PID 1128 wrote to memory of 2272	1128	taskhost.exe	39
PID 1128 wrote to memory of 2272	1128	taskhost.exe	39
PID 1128 wrote to memory of 2272	1128	taskhost.exe	39
PID 1576 wrote to memory of 2316	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	41
PID 1576 wrote to memory of 2316	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	41
PID 1576 wrote to memory of 2316	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	41
PID 2272 wrote to memory of 2332	2272	net.exe	43
PID 2272 wrote to memory of 2332	2272	net.exe	43
PID 2272 wrote to memory of 2332	2272	net.exe	43
PID 2316 wrote to memory of 2356	2316	net.exe	44
PID 2316 wrote to memory of 2356	2316	net.exe	44
PID 2316 wrote to memory of 2356	2316	net.exe	44
PID 1576 wrote to memory of 16792	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	47
PID 1576 wrote to memory of 16792	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	47
PID 1576 wrote to memory of 16792	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	47
PID 16792 wrote to memory of 16816	16792	net.exe	49
PID 16792 wrote to memory of 16816	16792	net.exe	49
PID 16792 wrote to memory of 16816	16792	net.exe	49
PID 1128 wrote to memory of 16832	1128	taskhost.exe	50
PID 1128 wrote to memory of 16832	1128	taskhost.exe	50
PID 1128 wrote to memory of 16832	1128	taskhost.exe	50
PID 1576 wrote to memory of 16852	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	52
PID 1576 wrote to memory of 16852	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	52
PID 1576 wrote to memory of 16852	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	52
PID 16852 wrote to memory of 16884	16852	net.exe	54
PID 16852 wrote to memory of 16884	16852	net.exe	54
PID 16852 wrote to memory of 16884	16852	net.exe	54
PID 16832 wrote to memory of 16892	16832	net.exe	55
PID 16832 wrote to memory of 16892	16832	net.exe	55
PID 16832 wrote to memory of 16892	16832	net.exe	55
PID 1576 wrote to memory of 34316	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	57
PID 1576 wrote to memory of 34316	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	57
PID 1576 wrote to memory of 34316	1576	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	57
PID 34316 wrote to memory of 34340	34316	net.exe	59
PID 34316 wrote to memory of 34340	34316	net.exe	59
PID 34316 wrote to memory of 34340	34316	net.exe	59
PID 1128 wrote to memory of 34368	1128	taskhost.exe	60
PID 1128 wrote to memory of 34368	1128	taskhost.exe	60

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1112
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2332
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16892
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:34368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34416

C:\Users\Admin\AppData\Local\Temp\8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
"C:\Users\Admin\AppData\Local\Temp\8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1732
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2356
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16816
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:34316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34340
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:34384
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-56-0x000000013F5A0000-0x000000013F87B000-memory.dmp

Filesize
2.9MB

Download
memory/1128-54-0x000000013F5A0000-0x000000013F87B000-memory.dmp

Filesize
2.9MB

Download
memory/1196-58-0x000000013F5A0000-0x000000013F87B000-memory.dmp

Filesize
2.9MB

Download
memory/1576-55-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download