ryuk | 748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43

Analysis

max time kernel
214s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20/02/2022, 05:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Size

205KB
MD5

9a93f9da4f9556fde6ba47ed634bf5ca
SHA1

56d1f6d60411119dbd5e58581af2440cc6acc78d
SHA256

748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43
SHA512

9f77b6f8c0847d1a9f4aacd75bac316e204b1d18cf83d23fb189e0b6bc8ac06e1307cb0bea2d0d9d030d930fc22a9e661a6097f073168e6f3260978f7b614e9e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a RemyngtonBourne@protonmail.com or Haniganagustine97@protonmail.com You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

RemyngtonBourne@protonmail.com

Haniganagustine97@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4316	2712	WerFault.exe	33

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899874700148141"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.067898"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4108"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{73559BCE-0E00-46FF-8843-3961E82EC1A4}	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
2204	sihost.exe
2204	sihost.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
2204	sihost.exe
2204	sihost.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
2204	sihost.exe
2204	sihost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Token: SeBackupPrivilege	2204	sihost.exe
Token: SeBackupPrivilege	2816	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
Token: SeShutdownPrivilege	2948	RuntimeBroker.exe
Token: SeShutdownPrivilege	2948	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	StartMenuExperienceHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2948	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2204	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	36
PID 1540 wrote to memory of 2224	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	9
PID 1540 wrote to memory of 2276	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	10
PID 1540 wrote to memory of 2528	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	34
PID 1540 wrote to memory of 2712	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	33
PID 1540 wrote to memory of 2816	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	11
PID 1540 wrote to memory of 2948	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	12
PID 1540 wrote to memory of 3024	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	31
PID 1540 wrote to memory of 2172	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	13
PID 1540 wrote to memory of 3372	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	29
PID 1540 wrote to memory of 2932	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	27
PID 1540 wrote to memory of 2676	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	21
PID 2712 wrote to memory of 4316	2712	DllHost.exe	62
PID 2712 wrote to memory of 4316	2712	DllHost.exe	62
PID 1540 wrote to memory of 3148	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	65
PID 1540 wrote to memory of 3148	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	65
PID 2204 wrote to memory of 4236	2204	sihost.exe	66
PID 2204 wrote to memory of 4236	2204	sihost.exe	66
PID 1540 wrote to memory of 4532	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	70
PID 1540 wrote to memory of 4532	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	70
PID 2204 wrote to memory of 3052	2204	sihost.exe	67
PID 2204 wrote to memory of 3052	2204	sihost.exe	67
PID 2204 wrote to memory of 5180	2204	sihost.exe	71
PID 2204 wrote to memory of 5180	2204	sihost.exe	71
PID 1540 wrote to memory of 5488	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	78
PID 1540 wrote to memory of 5488	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	78
PID 1540 wrote to memory of 5496	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	77
PID 1540 wrote to memory of 5496	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	77
PID 3148 wrote to memory of 5736	3148	net.exe	80
PID 3148 wrote to memory of 5736	3148	net.exe	80
PID 5488 wrote to memory of 5744	5488	net.exe	79
PID 5488 wrote to memory of 5744	5488	net.exe	79
PID 4532 wrote to memory of 5768	4532	net.exe	81
PID 4532 wrote to memory of 5768	4532	net.exe	81
PID 3052 wrote to memory of 5776	3052	net.exe	82
PID 3052 wrote to memory of 5776	3052	net.exe	82
PID 4236 wrote to memory of 5784	4236	net.exe	83
PID 4236 wrote to memory of 5784	4236	net.exe	83
PID 5180 wrote to memory of 5792	5180	net.exe	84
PID 5180 wrote to memory of 5792	5180	net.exe	84
PID 5496 wrote to memory of 5824	5496	net.exe	85
PID 5496 wrote to memory of 5824	5496	net.exe	85
PID 1540 wrote to memory of 5840	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	86
PID 1540 wrote to memory of 5840	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	86
PID 1540 wrote to memory of 5920	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	88
PID 1540 wrote to memory of 5920	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	88
PID 5840 wrote to memory of 5992	5840	net.exe	91
PID 5840 wrote to memory of 5992	5840	net.exe	91
PID 5920 wrote to memory of 6000	5920	net.exe	90
PID 5920 wrote to memory of 6000	5920	net.exe	90
PID 2204 wrote to memory of 5800	2204	sihost.exe	95
PID 2204 wrote to memory of 5800	2204	sihost.exe	95
PID 2204 wrote to memory of 5108	2204	sihost.exe	97
PID 2204 wrote to memory of 5108	2204	sihost.exe	97
PID 2204 wrote to memory of 3744	2204	sihost.exe	99
PID 2204 wrote to memory of 3744	2204	sihost.exe	99
PID 5800 wrote to memory of 3328	5800	net.exe	101
PID 5800 wrote to memory of 3328	5800	net.exe	101
PID 5108 wrote to memory of 4612	5108	net.exe	103
PID 5108 wrote to memory of 4612	5108	net.exe	103
PID 3744 wrote to memory of 5200	3744	net.exe	102
PID 3744 wrote to memory of 5200	3744	net.exe	102
PID 1540 wrote to memory of 4504	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	106
PID 1540 wrote to memory of 4504	1540	748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe	106

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2224

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2172

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2712 -s 1000
  2⤵
  - Program crash
  PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5784
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5776
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:3328
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5200
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:6388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:6440
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:6460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:6512
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:6532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6584

C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe
"C:\Users\Admin\AppData\Local\Temp\748f2eb6ab11cdadd9a9db133aa4731c10de8c6a6f77d7da56a3e1e92615aa43.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:5768
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5824
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5744
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5992
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6000
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:4504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:1428
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  PID:684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:3288
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5352
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:5104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5080
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3788
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3476
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6072

Network

GET

http://crl4.digicert.com/DigiCertGlobalRootCA.crl

Remote address:

93.184.220.29:80

Request

GET /DigiCertGlobalRootCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: crl4.digicert.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 2245
Cache-Control: max-age=10800
Content-Type: application/pkix-crl
Date: Sun, 20 Feb 2022 06:08:41 GMT
Etag: "455141192"
Expires: Sun, 20 Feb 2022 09:08:41 GMT
Last-Modified: Wed, 16 Feb 2022 21:15:06 GMT
Server: ECS (amb/6B91)
X-Cache: HIT
Content-Length: 631
DNS

geo.prod.do.dsp.mp.microsoft.com

NetworkService

Remote address:

8.8.8.8:53

Request

geo.prod.do.dsp.mp.microsoft.com

IN A

Response

geo.prod.do.dsp.mp.microsoft.com

IN CNAME

geo.prod.do.dsp.trafficmanager.net

geo.prod.do.dsp.trafficmanager.net

IN CNAME

array608.prod.do.dsp.mp.microsoft.com

array608.prod.do.dsp.mp.microsoft.com

IN A

51.104.167.245
DNS

kv801.prod.do.dsp.mp.microsoft.com

NetworkService

Remote address:

8.8.8.8:53

Request

kv801.prod.do.dsp.mp.microsoft.com

IN A

Response

kv801.prod.do.dsp.mp.microsoft.com

IN CNAME

kv801.prod.do.dsp.mp.microsoft.com.edgekey.net

kv801.prod.do.dsp.mp.microsoft.com.edgekey.net

IN CNAME

e12437.g.akamaiedge.net

e12437.g.akamaiedge.net

IN A

184.29.205.60
GET

https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

NetworkService

Remote address:

184.29.205.60:443

Request

GET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: WsWKO+E/RUSI2oiZ.2.1.1
Content-Length: 0
Host: kv801.prod.do.dsp.mp.microsoft.com

Response

HTTP/1.1 200 OK

Content-Type: text/json
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 808
Cache-Control: max-age=322
Date: Sun, 20 Feb 2022 06:11:19 GMT
Connection: keep-alive
DNS

cp801.prod.do.dsp.mp.microsoft.com

NetworkService

Remote address:

8.8.8.8:53

Request

cp801.prod.do.dsp.mp.microsoft.com

IN A

Response

cp801.prod.do.dsp.mp.microsoft.com

IN CNAME

cp801.prod.do.dsp.mp.microsoft.com.edgekey.net

cp801.prod.do.dsp.mp.microsoft.com.edgekey.net

IN CNAME

e12437.g.akamaiedge.net

e12437.g.akamaiedge.net

IN A

184.29.205.60
GET

https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

NetworkService

Remote address:

184.29.205.60:443

Request

GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.1.1.1
Content-Length: 0
Host: cp801.prod.do.dsp.mp.microsoft.com

Response

HTTP/1.1 200 OK

Content-Type: text/json
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 373
Cache-Control: max-age=35073
Date: Sun, 20 Feb 2022 06:11:29 GMT
Connection: keep-alive

93.184.220.29:80

260 B
5
93.184.220.29:80

322 B
7
93.184.220.29:80

http://crl4.digicert.com/DigiCertGlobalRootCA.crl

http

464 B
1.2kB
7
5

HTTP Request

GET http://crl4.digicert.com/DigiCertGlobalRootCA.crl

HTTP Response

200
51.104.167.245:443

geo.prod.do.dsp.mp.microsoft.com

tls, https

NetworkService

1.2kB
3.5kB
12
9
184.29.205.60:443

https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

tls, http

NetworkService

1.0kB
7.7kB
8
11

HTTP Request

GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1

HTTP Response

200
184.29.205.60:443

https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

tls, http

NetworkService

1.2kB
7.2kB
8
11

HTTP Request

GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=1

HTTP Response

200

8.8.8.8:53

geo.prod.do.dsp.mp.microsoft.com

dns

NetworkService

78 B
165 B
1
1

DNS Request

geo.prod.do.dsp.mp.microsoft.com

DNS Response

51.104.167.245
8.8.8.8:53

kv801.prod.do.dsp.mp.microsoft.com

dns

NetworkService

80 B
190 B
1
1

DNS Request

kv801.prod.do.dsp.mp.microsoft.com

DNS Response

184.29.205.60
8.8.8.8:53

cp801.prod.do.dsp.mp.microsoft.com

dns

NetworkService

80 B
190 B
1
1

DNS Request

cp801.prod.do.dsp.mp.microsoft.com

DNS Response

184.29.205.60

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-131-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp

Filesize
3.6MB

Download
memory/2224-132-0x00007FF70BD10000-0x00007FF70C0A6000-memory.dmp

Filesize
3.6MB

Download
memory/2712-150-0x000001F617080000-0x000001F617088000-memory.dmp

Filesize
32KB

Download
memory/2712-152-0x000001F617070000-0x000001F617071000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.