ryuk | 6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623

Analysis

max time kernel
186s
max time network
221s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
Size

121KB
MD5

b003a727c9c2e8bec5c17f849c816726
SHA1

23aabb8ab9aa4dfaa55afd29fd09487254b49dff
SHA256

6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623
SHA512

21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'dc75X5tp'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1368	HrIEuiIPErep.exe
364	voTZRquyulan.exe
392	gFgtOqHgnlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
30256	icacls.exe
34380	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\RyukReadMe.html	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1368	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	29
PID 1664 wrote to memory of 1368	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	29
PID 1664 wrote to memory of 1368	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	29
PID 1664 wrote to memory of 1368	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	29
PID 1664 wrote to memory of 364	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	30
PID 1664 wrote to memory of 364	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	30
PID 1664 wrote to memory of 364	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	30
PID 1664 wrote to memory of 364	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	30
PID 1664 wrote to memory of 392	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	31
PID 1664 wrote to memory of 392	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	31
PID 1664 wrote to memory of 392	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	31
PID 1664 wrote to memory of 392	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	31
PID 1664 wrote to memory of 30256	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	32
PID 1664 wrote to memory of 30256	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	32
PID 1664 wrote to memory of 30256	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	32
PID 1664 wrote to memory of 30256	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	32
PID 1664 wrote to memory of 34380	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	33
PID 1664 wrote to memory of 34380	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	33
PID 1664 wrote to memory of 34380	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	33
PID 1664 wrote to memory of 34380	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	33
PID 1664 wrote to memory of 79320	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	36
PID 1664 wrote to memory of 79320	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	36
PID 1664 wrote to memory of 79320	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	36
PID 1664 wrote to memory of 79320	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	36
PID 1664 wrote to memory of 79648	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	37
PID 1664 wrote to memory of 79648	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	37
PID 1664 wrote to memory of 79648	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	37
PID 1664 wrote to memory of 79648	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	37
PID 1664 wrote to memory of 96112	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	40
PID 1664 wrote to memory of 96112	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	40
PID 1664 wrote to memory of 96112	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	40
PID 1664 wrote to memory of 96112	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	40
PID 1664 wrote to memory of 96120	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	41
PID 1664 wrote to memory of 96120	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	41
PID 1664 wrote to memory of 96120	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	41
PID 1664 wrote to memory of 96120	1664	6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe	41
PID 79320 wrote to memory of 100412	79320	net.exe	44
PID 79320 wrote to memory of 100412	79320	net.exe	44
PID 79320 wrote to memory of 100412	79320	net.exe	44
PID 79320 wrote to memory of 100412	79320	net.exe	44
PID 79648 wrote to memory of 96180	79648	net.exe	47
PID 79648 wrote to memory of 96180	79648	net.exe	47
PID 79648 wrote to memory of 96180	79648	net.exe	47
PID 79648 wrote to memory of 96180	79648	net.exe	47
PID 96120 wrote to memory of 100392	96120	net.exe	45
PID 96120 wrote to memory of 100392	96120	net.exe	45
PID 96120 wrote to memory of 100392	96120	net.exe	45
PID 96120 wrote to memory of 100392	96120	net.exe	45
PID 96112 wrote to memory of 100492	96112	net.exe	46
PID 96112 wrote to memory of 100492	96112	net.exe	46
PID 96112 wrote to memory of 100492	96112	net.exe	46
PID 96112 wrote to memory of 100492	96112	net.exe	46

C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe
"C:\Users\Admin\AppData\Local\Temp\6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe
  "C:\Users\Admin\AppData\Local\Temp\HrIEuiIPErep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe
  "C:\Users\Admin\AppData\Local\Temp\voTZRquyulan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe
  "C:\Users\Admin\AppData\Local\Temp\gFgtOqHgnlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:30256
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:34380
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:79320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:100412
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:79648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:96180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:96112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:100492
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:96120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:100392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download