ryuk | 8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0

Analysis

max time kernel
173s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
Size

206KB
MD5

0b8e9a08a7589c90266cf4cc724614f9
SHA1

eed7f84bbaa034d377cbb1f394c7b8c27f3fbd4a
SHA256

8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0
SHA512

fc7df8d676f07251113636954b9b97e648bdaaee22412cb7fb92ae270944759f852c77d226c0227dc0c5e4a7c10d2e1ce16c60a095427a5ae503c293856c2dad

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1432 created 2736	1432	WerFault.exe	25
PID 4548 created 3360	4548	WerFault.exe	14
PID 1564 created 2832	1564	WerFault.exe	24

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4632	2736	WerFault.exe	25
5852	2832	WerFault.exe	24
5844	3360	WerFault.exe	14
5860	2736	WerFault.exe	25

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
2172	sihost.exe
2172	sihost.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
2172	sihost.exe
2172	sihost.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
5844	WerFault.exe
5844	WerFault.exe
5852	WerFault.exe
5852	WerFault.exe
4632	WerFault.exe
4632	WerFault.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
2172	sihost.exe
2172	sihost.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
Token: SeBackupPrivilege	2172	sihost.exe
Token: SeBackupPrivilege	2832	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	3360	backgroundTaskHost.exe
Token: SeBackupPrivilege	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 2172	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	30
PID 3844 wrote to memory of 2192	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	29
PID 3844 wrote to memory of 2240	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	28
PID 3844 wrote to memory of 2548	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	26
PID 3844 wrote to memory of 2736	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	25
PID 3844 wrote to memory of 2832	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	24
PID 3844 wrote to memory of 2896	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	3
PID 3844 wrote to memory of 2976	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	23
PID 3844 wrote to memory of 2868	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	4
PID 3844 wrote to memory of 3392	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	5
PID 3844 wrote to memory of 1392	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	60
PID 3844 wrote to memory of 1392	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	60
PID 3844 wrote to memory of 544	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	11
PID 3844 wrote to memory of 3876	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	62
PID 3844 wrote to memory of 3876	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	62
PID 1392 wrote to memory of 3416	1392	net.exe	64
PID 1392 wrote to memory of 3416	1392	net.exe	64
PID 3876 wrote to memory of 3472	3876	net.exe	65
PID 3876 wrote to memory of 3472	3876	net.exe	65
PID 3844 wrote to memory of 3360	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	14
PID 3844 wrote to memory of 1952	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	17
PID 2172 wrote to memory of 2748	2172	sihost.exe	66
PID 2172 wrote to memory of 2748	2172	sihost.exe	66
PID 2748 wrote to memory of 3620	2748	net.exe	68
PID 2748 wrote to memory of 3620	2748	net.exe	68
PID 2172 wrote to memory of 3440	2172	sihost.exe	70
PID 2172 wrote to memory of 3440	2172	sihost.exe	70
PID 3440 wrote to memory of 3256	3440	net.exe	72
PID 3440 wrote to memory of 3256	3440	net.exe	72
PID 3844 wrote to memory of 4972	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	78
PID 3844 wrote to memory of 4972	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	78
PID 3844 wrote to memory of 5004	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	80
PID 3844 wrote to memory of 5004	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	80
PID 4972 wrote to memory of 4748	4972	net.exe	82
PID 4972 wrote to memory of 4748	4972	net.exe	82
PID 5004 wrote to memory of 5588	5004	net.exe	83
PID 5004 wrote to memory of 5588	5004	net.exe	83
PID 2736 wrote to memory of 4632	2736	DllHost.exe	77
PID 2736 wrote to memory of 4632	2736	DllHost.exe	77
PID 4548 wrote to memory of 3360	4548	WerFault.exe	14
PID 1432 wrote to memory of 2736	1432	WerFault.exe	25
PID 4548 wrote to memory of 3360	4548	WerFault.exe	14
PID 1432 wrote to memory of 2736	1432	WerFault.exe	25
PID 1564 wrote to memory of 2832	1564	WerFault.exe	24
PID 1564 wrote to memory of 2832	1564	WerFault.exe	24
PID 3844 wrote to memory of 5952	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	87
PID 3844 wrote to memory of 5952	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	87
PID 3844 wrote to memory of 5964	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	88
PID 3844 wrote to memory of 5964	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	88
PID 5952 wrote to memory of 6052	5952	net.exe	91
PID 5952 wrote to memory of 6052	5952	net.exe	91
PID 5964 wrote to memory of 6064	5964	net.exe	92
PID 5964 wrote to memory of 6064	5964	net.exe	92
PID 2172 wrote to memory of 6128	2172	sihost.exe	93
PID 2172 wrote to memory of 6128	2172	sihost.exe	93
PID 2172 wrote to memory of 6140	2172	sihost.exe	94
PID 2172 wrote to memory of 6140	2172	sihost.exe	94
PID 6128 wrote to memory of 5436	6128	net.exe	98
PID 6128 wrote to memory of 5436	6128	net.exe	98
PID 6140 wrote to memory of 3832	6140	net.exe	99
PID 6140 wrote to memory of 3832	6140	net.exe	99
PID 3844 wrote to memory of 2800	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	102
PID 3844 wrote to memory of 2800	3844	8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe	102
PID 2800 wrote to memory of 3488	2800	net.exe	104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:544

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3360 -s 3052
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2832 -s 2752
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2736 -s 392
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2736 -s 392
  2⤵
  - Program crash
  PID:5860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2548

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2192

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3620
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5436
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6184
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6176

C:\Users\Admin\AppData\Local\Temp\8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe
"C:\Users\Admin\AppData\Local\Temp\8e4613bf8ccd6a5574461721d90cdb0ca36c0acc26e25deb24f3311cb1ebf9e0.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3472
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4748
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5588
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6064
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3488
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4160
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6160
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6168
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6344
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2736 -ip 2736
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2832 -ip 2832
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3360 -ip 3360
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-130-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download
memory/2192-131-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download
memory/3360-133-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download
memory/3392-132-0x00007FF7C93D0000-0x00007FF7C96AB000-memory.dmp

Filesize
2.9MB

Download