ryuk | 529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967

Analysis

max time kernel
166s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
Size

171KB
MD5

bb0929ec43b8eea61ab777ecd9f44541
SHA1

f1fd81590a93b8895884f2bafcd8d48de1627fdb
SHA256

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967
SHA512

09dadd375f5faebeba2761dc7cfc6cc7cdb52ecce3798044a88c5bc165d2e6b3c3810a7ff62641363e613a5c9f512f0be5d0bbdac83f68838feaac26b78680a0

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 59 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
Token: SeBackupPrivilege	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1232	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	16
PID 1616 wrote to memory of 1332	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	15
PID 1616 wrote to memory of 996	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	27
PID 1616 wrote to memory of 996	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	27
PID 1616 wrote to memory of 996	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	27
PID 1616 wrote to memory of 996	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	27
PID 1616 wrote to memory of 1356	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	32
PID 1616 wrote to memory of 1356	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	32
PID 1616 wrote to memory of 1356	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	32
PID 1616 wrote to memory of 1356	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	32
PID 1616 wrote to memory of 1760	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	30
PID 1616 wrote to memory of 1760	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	30
PID 1616 wrote to memory of 1760	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	30
PID 1616 wrote to memory of 1760	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	30
PID 1616 wrote to memory of 1992	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	34
PID 1616 wrote to memory of 1992	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	34
PID 1616 wrote to memory of 1992	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	34
PID 1616 wrote to memory of 1992	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	34
PID 1992 wrote to memory of 1580	1992	net.exe	36
PID 1992 wrote to memory of 1580	1992	net.exe	36
PID 1992 wrote to memory of 1580	1992	net.exe	36
PID 1992 wrote to memory of 1580	1992	net.exe	36
PID 1356 wrote to memory of 1764	1356	net.exe	37
PID 1356 wrote to memory of 1764	1356	net.exe	37
PID 1356 wrote to memory of 1764	1356	net.exe	37
PID 1356 wrote to memory of 1764	1356	net.exe	37
PID 1760 wrote to memory of 2044	1760	net.exe	35
PID 1760 wrote to memory of 2044	1760	net.exe	35
PID 1760 wrote to memory of 2044	1760	net.exe	35
PID 1760 wrote to memory of 2044	1760	net.exe	35
PID 996 wrote to memory of 2000	996	net.exe	38
PID 996 wrote to memory of 2000	996	net.exe	38
PID 996 wrote to memory of 2000	996	net.exe	38
PID 996 wrote to memory of 2000	996	net.exe	38
PID 1616 wrote to memory of 9324	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	41
PID 1616 wrote to memory of 9324	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	41
PID 1616 wrote to memory of 9324	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	41
PID 1616 wrote to memory of 9324	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	41
PID 9324 wrote to memory of 9348	9324	net.exe	43
PID 9324 wrote to memory of 9348	9324	net.exe	43
PID 9324 wrote to memory of 9348	9324	net.exe	43
PID 9324 wrote to memory of 9348	9324	net.exe	43
PID 1616 wrote to memory of 9360	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	44
PID 1616 wrote to memory of 9360	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	44
PID 1616 wrote to memory of 9360	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	44
PID 1616 wrote to memory of 9360	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	44
PID 9360 wrote to memory of 9384	9360	net.exe	46
PID 9360 wrote to memory of 9384	9360	net.exe	46
PID 9360 wrote to memory of 9384	9360	net.exe	46
PID 9360 wrote to memory of 9384	9360	net.exe	46
PID 1616 wrote to memory of 18416	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	48
PID 1616 wrote to memory of 18416	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	48
PID 1616 wrote to memory of 18416	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	48
PID 1616 wrote to memory of 18416	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	48
PID 18416 wrote to memory of 9360	18416	net.exe	50
PID 18416 wrote to memory of 9360	18416	net.exe	50
PID 18416 wrote to memory of 9360	18416	net.exe	50
PID 18416 wrote to memory of 9360	18416	net.exe	50
PID 1616 wrote to memory of 9380	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	51
PID 1616 wrote to memory of 9380	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	51
PID 1616 wrote to memory of 9380	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	51
PID 1616 wrote to memory of 9380	1616	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	51
PID 9380 wrote to memory of 2028	9380	net.exe	53
PID 9380 wrote to memory of 2028	9380	net.exe	53

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
"C:\Users\Admin\AppData\Local\Temp\529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2044
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1764
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9384
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:18416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9360
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-56-0x0000000030000000-0x000000003038A000-memory.dmp

Filesize
3.5MB

Download
memory/1616-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download