Analysis Overview
SHA256
6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20
Threat Level: Known bad
The file 6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 06:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 06:10
Reported
2022-02-20 06:42
Platform
win7-en-20211208
Max time kernel
171s
Max time network
146s
Command Line
Signatures
Ryuk
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
"C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/1624-55-0x0000000076641000-0x0000000076643000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 06:10
Reported
2022-02-20 06:45
Platform
win10v2004-en-20220113
Max time kernel
189s
Max time network
226s
Command Line
Signatures
Ryuk
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
"C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp |