ryuk | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

Analysis

max time kernel
184s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Size

189KB
MD5

090826c3c34fb53a639f1d2919e1b44c
SHA1

ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512

d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1148	PqdfzJO.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	PqdfzJO.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4512	icacls.exe
4756	icacls.exe
4752	icacls.exe
2372	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PqdfzJO.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1148	PqdfzJO.exe
1148	PqdfzJO.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1148	PqdfzJO.exe
1148	PqdfzJO.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Token: SeBackupPrivilege	1148	PqdfzJO.exe
Token: SeBackupPrivilege	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3720	WMIC.exe
Token: SeSecurityPrivilege	3720	WMIC.exe
Token: SeTakeOwnershipPrivilege	3720	WMIC.exe
Token: SeLoadDriverPrivilege	3720	WMIC.exe
Token: SeSystemProfilePrivilege	3720	WMIC.exe
Token: SeSystemtimePrivilege	3720	WMIC.exe
Token: SeProfSingleProcessPrivilege	3720	WMIC.exe
Token: SeIncBasePriorityPrivilege	3720	WMIC.exe
Token: SeCreatePagefilePrivilege	3720	WMIC.exe
Token: SeBackupPrivilege	3720	WMIC.exe
Token: SeRestorePrivilege	3720	WMIC.exe
Token: SeShutdownPrivilege	3720	WMIC.exe
Token: SeDebugPrivilege	3720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3720	WMIC.exe
Token: SeRemoteShutdownPrivilege	3720	WMIC.exe
Token: SeUndockPrivilege	3720	WMIC.exe
Token: SeManageVolumePrivilege	3720	WMIC.exe
Token: 33	3720	WMIC.exe
Token: 34	3720	WMIC.exe
Token: 35	3720	WMIC.exe
Token: 36	3720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1148	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	84
PID 1392 wrote to memory of 1148	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	84
PID 1392 wrote to memory of 1148	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	84
PID 1392 wrote to memory of 2344	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	54
PID 1392 wrote to memory of 4800	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	85
PID 1392 wrote to memory of 4800	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	85
PID 1392 wrote to memory of 4800	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	85
PID 1392 wrote to memory of 2380	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	53
PID 1392 wrote to memory of 2440	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	52
PID 1392 wrote to memory of 2992	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	42
PID 1392 wrote to memory of 3284	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	41
PID 1392 wrote to memory of 3372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	40
PID 1392 wrote to memory of 3452	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	17
PID 1392 wrote to memory of 4820	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	87
PID 1392 wrote to memory of 4820	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	87
PID 1392 wrote to memory of 4820	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	87
PID 1392 wrote to memory of 3548	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	39
PID 1392 wrote to memory of 3832	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	38
PID 1392 wrote to memory of 2032	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	35
PID 1392 wrote to memory of 3736	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	24
PID 1392 wrote to memory of 3732	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	23
PID 1392 wrote to memory of 1316	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	21
PID 4820 wrote to memory of 4452	4820	net.exe	89
PID 4820 wrote to memory of 4452	4820	net.exe	89
PID 4820 wrote to memory of 4452	4820	net.exe	89
PID 4800 wrote to memory of 804	4800	net.exe	90
PID 4800 wrote to memory of 804	4800	net.exe	90
PID 4800 wrote to memory of 804	4800	net.exe	90
PID 1148 wrote to memory of 4756	1148	PqdfzJO.exe	91
PID 1148 wrote to memory of 4756	1148	PqdfzJO.exe	91
PID 1148 wrote to memory of 4756	1148	PqdfzJO.exe	91
PID 1148 wrote to memory of 4752	1148	PqdfzJO.exe	92
PID 1148 wrote to memory of 4752	1148	PqdfzJO.exe	92
PID 1148 wrote to memory of 4752	1148	PqdfzJO.exe	92
PID 1148 wrote to memory of 4160	1148	PqdfzJO.exe	95
PID 1148 wrote to memory of 4160	1148	PqdfzJO.exe	95
PID 1148 wrote to memory of 4160	1148	PqdfzJO.exe	95
PID 4160 wrote to memory of 3568	4160	cmd.exe	97
PID 4160 wrote to memory of 3568	4160	cmd.exe	97
PID 4160 wrote to memory of 3568	4160	cmd.exe	97
PID 1148 wrote to memory of 3580	1148	PqdfzJO.exe	98
PID 1148 wrote to memory of 3580	1148	PqdfzJO.exe	98
PID 1148 wrote to memory of 3580	1148	PqdfzJO.exe	98
PID 3580 wrote to memory of 1236	3580	net.exe	100
PID 3580 wrote to memory of 1236	3580	net.exe	100
PID 3580 wrote to memory of 1236	3580	net.exe	100
PID 1148 wrote to memory of 4564	1148	PqdfzJO.exe	101
PID 1148 wrote to memory of 4564	1148	PqdfzJO.exe	101
PID 1148 wrote to memory of 4564	1148	PqdfzJO.exe	101
PID 4564 wrote to memory of 4000	4564	net.exe	103
PID 4564 wrote to memory of 4000	4564	net.exe	103
PID 4564 wrote to memory of 4000	4564	net.exe	103
PID 1392 wrote to memory of 2372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	104
PID 1392 wrote to memory of 2372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	104
PID 1392 wrote to memory of 2372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	104
PID 1392 wrote to memory of 4512	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	107
PID 1392 wrote to memory of 4512	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	107
PID 1392 wrote to memory of 4512	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	107
PID 1392 wrote to memory of 4532	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	106
PID 1392 wrote to memory of 4532	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	106
PID 1392 wrote to memory of 4532	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	106
PID 1392 wrote to memory of 3448	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	110
PID 1392 wrote to memory of 3448	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	110
PID 1392 wrote to memory of 3448	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	110

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1316

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3732

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2992

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
  "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3568
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:1236
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64
    3⤵
    PID:5212
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:5436
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:5224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:5420
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4452
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4512
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4972
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5408
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:11108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5156
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:11232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:11184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads