ryuk | 84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3

Analysis

max time kernel
204s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Size

193KB
MD5

21256f1e6fef12bb963fff955d5f4531
SHA1

45f2ba25a028bb4756e37b810b96a32bb359b339
SHA256

84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3
SHA512

835b80e9d9db3aac6d670dde804c9caf999dd915086f1b3e037a60b572c6d6c1dc5261ee921851dbf50651be5e2eada75614be34c4e25b30e7dddd731fee1587

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
996	USUDPfv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	USUDPfv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1628	icacls.exe
1400	icacls.exe
3320	icacls.exe
1276	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.211715"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4240"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899859291863226"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.250255"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.432897"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
996	USUDPfv.exe
996	USUDPfv.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
996	USUDPfv.exe
996	USUDPfv.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Token: SeBackupPrivilege	996	USUDPfv.exe
Token: SeBackupPrivilege	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 996	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	69
PID 1852 wrote to memory of 996	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	69
PID 1852 wrote to memory of 996	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	69
PID 1852 wrote to memory of 2204	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	40
PID 1852 wrote to memory of 4068	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	70
PID 1852 wrote to memory of 4068	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	70
PID 1852 wrote to memory of 4068	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	70
PID 1852 wrote to memory of 1432	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	72
PID 1852 wrote to memory of 1432	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	72
PID 1852 wrote to memory of 1432	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	72
PID 1852 wrote to memory of 2224	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	39
PID 1852 wrote to memory of 2276	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	13
PID 1852 wrote to memory of 2528	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	37
PID 4068 wrote to memory of 3872	4068	net.exe	75
PID 4068 wrote to memory of 3872	4068	net.exe	75
PID 4068 wrote to memory of 3872	4068	net.exe	75
PID 1432 wrote to memory of 1712	1432	net.exe	74
PID 1432 wrote to memory of 1712	1432	net.exe	74
PID 1432 wrote to memory of 1712	1432	net.exe	74
PID 1852 wrote to memory of 2712	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	36
PID 1852 wrote to memory of 2816	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	35
PID 1852 wrote to memory of 2948	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	34
PID 1852 wrote to memory of 3024	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	33
PID 1852 wrote to memory of 2172	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	32
PID 1852 wrote to memory of 3372	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	30
PID 1852 wrote to memory of 2932	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	27
PID 996 wrote to memory of 1276	996	USUDPfv.exe	76
PID 996 wrote to memory of 1276	996	USUDPfv.exe	76
PID 996 wrote to memory of 1276	996	USUDPfv.exe	76
PID 996 wrote to memory of 1628	996	USUDPfv.exe	77
PID 996 wrote to memory of 1628	996	USUDPfv.exe	77
PID 996 wrote to memory of 1628	996	USUDPfv.exe	77
PID 996 wrote to memory of 3128	996	USUDPfv.exe	80
PID 996 wrote to memory of 3128	996	USUDPfv.exe	80
PID 996 wrote to memory of 3128	996	USUDPfv.exe	80
PID 996 wrote to memory of 3816	996	USUDPfv.exe	82
PID 996 wrote to memory of 3816	996	USUDPfv.exe	82
PID 996 wrote to memory of 3816	996	USUDPfv.exe	82
PID 3128 wrote to memory of 2976	3128	cmd.exe	84
PID 3128 wrote to memory of 2976	3128	cmd.exe	84
PID 3128 wrote to memory of 2976	3128	cmd.exe	84
PID 3816 wrote to memory of 2544	3816	net.exe	85
PID 3816 wrote to memory of 2544	3816	net.exe	85
PID 3816 wrote to memory of 2544	3816	net.exe	85
PID 996 wrote to memory of 2176	996	USUDPfv.exe	86
PID 996 wrote to memory of 2176	996	USUDPfv.exe	86
PID 996 wrote to memory of 2176	996	USUDPfv.exe	86
PID 2176 wrote to memory of 2164	2176	net.exe	88
PID 2176 wrote to memory of 2164	2176	net.exe	88
PID 2176 wrote to memory of 2164	2176	net.exe	88
PID 1852 wrote to memory of 1400	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	89
PID 1852 wrote to memory of 1400	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	89
PID 1852 wrote to memory of 1400	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	89
PID 1852 wrote to memory of 3320	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	94
PID 1852 wrote to memory of 3320	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	94
PID 1852 wrote to memory of 3320	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	94
PID 1852 wrote to memory of 2572	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	93
PID 1852 wrote to memory of 2572	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	93
PID 1852 wrote to memory of 2572	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	93
PID 1852 wrote to memory of 388	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	95
PID 1852 wrote to memory of 388	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	95
PID 1852 wrote to memory of 388	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	95
PID 1852 wrote to memory of 3332	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	97
PID 1852 wrote to memory of 3332	1852	84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe	97

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2948

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe
"C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe
  "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1276
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USUDPfv.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:2576
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1712
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\84516cefc7fc9fb77046ae6ed0d1606eeedea4d99de335f6faa99c2f905a06c3.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4484
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:5184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5304

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads