ryuk | 00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

Analysis

max time kernel
4294137s
max time network
124s
platform
windows7_x64
resource
win7-20220223-en
submitted
02-03-2022 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Size

448KB
MD5

bf7b854542cfa423dee3b7233c4a255e
SHA1

a9b09989972cc063b34c4afcd82ebe9203d61be2
SHA256

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
SHA512

147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
764	XqBtfkc.exe
1636	XqBtfkc.exe

Loads dropped DLL 3 IoCs

pid	Process
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
764	XqBtfkc.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1812	icacls.exe
1760	icacls.exe
8748	icacls.exe
8740	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 516	956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	27
PID 764 set thread context of 1636	764	XqBtfkc.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21319_.GIF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.JPG	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01296_.GIF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.ELM	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233312.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05869_.WMF	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1952	vssadmin.exe
9288	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1636	XqBtfkc.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe
1636	XqBtfkc.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
764	XqBtfkc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Token: SeBackupPrivilege	1524	vssvc.exe
Token: SeRestorePrivilege	1524	vssvc.exe
Token: SeAuditPrivilege	1524	vssvc.exe
Token: SeBackupPrivilege	1636	XqBtfkc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
764	XqBtfkc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 516	956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	27
PID 956 wrote to memory of 516	956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	27
PID 956 wrote to memory of 516	956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	27
PID 956 wrote to memory of 516	956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	27
PID 956 wrote to memory of 516	956	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	27
PID 516 wrote to memory of 764	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	28
PID 516 wrote to memory of 764	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	28
PID 516 wrote to memory of 764	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	28
PID 516 wrote to memory of 764	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	28
PID 764 wrote to memory of 1636	764	XqBtfkc.exe	29
PID 764 wrote to memory of 1636	764	XqBtfkc.exe	29
PID 764 wrote to memory of 1636	764	XqBtfkc.exe	29
PID 764 wrote to memory of 1636	764	XqBtfkc.exe	29
PID 764 wrote to memory of 1636	764	XqBtfkc.exe	29
PID 516 wrote to memory of 1520	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	30
PID 516 wrote to memory of 1520	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	30
PID 516 wrote to memory of 1520	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	30
PID 516 wrote to memory of 1520	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	30
PID 1520 wrote to memory of 324	1520	net.exe	32
PID 1520 wrote to memory of 324	1520	net.exe	32
PID 1520 wrote to memory of 324	1520	net.exe	32
PID 1520 wrote to memory of 324	1520	net.exe	32
PID 516 wrote to memory of 392	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	33
PID 516 wrote to memory of 392	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	33
PID 516 wrote to memory of 392	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	33
PID 516 wrote to memory of 392	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	33
PID 392 wrote to memory of 1836	392	net.exe	35
PID 392 wrote to memory of 1836	392	net.exe	35
PID 392 wrote to memory of 1836	392	net.exe	35
PID 392 wrote to memory of 1836	392	net.exe	35
PID 516 wrote to memory of 1812	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	36
PID 516 wrote to memory of 1812	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	36
PID 516 wrote to memory of 1812	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	36
PID 516 wrote to memory of 1812	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	36
PID 516 wrote to memory of 1760	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	37
PID 516 wrote to memory of 1760	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	37
PID 516 wrote to memory of 1760	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	37
PID 516 wrote to memory of 1760	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	37
PID 516 wrote to memory of 1004	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	40
PID 516 wrote to memory of 1004	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	40
PID 516 wrote to memory of 1004	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	40
PID 516 wrote to memory of 1004	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	40
PID 1004 wrote to memory of 1952	1004	cmd.exe	42
PID 1004 wrote to memory of 1952	1004	cmd.exe	42
PID 1004 wrote to memory of 1952	1004	cmd.exe	42
PID 1004 wrote to memory of 1952	1004	cmd.exe	42
PID 516 wrote to memory of 1448	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	44
PID 516 wrote to memory of 1448	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	44
PID 516 wrote to memory of 1448	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	44
PID 516 wrote to memory of 1448	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	44
PID 1448 wrote to memory of 2200	1448	net.exe	46
PID 1448 wrote to memory of 2200	1448	net.exe	46
PID 1448 wrote to memory of 2200	1448	net.exe	46
PID 1448 wrote to memory of 2200	1448	net.exe	46
PID 516 wrote to memory of 2236	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	47
PID 516 wrote to memory of 2236	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	47
PID 516 wrote to memory of 2236	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	47
PID 516 wrote to memory of 2236	516	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	47
PID 2236 wrote to memory of 2272	2236	net.exe	49
PID 2236 wrote to memory of 2272	2236	net.exe	49
PID 2236 wrote to memory of 2272	2236	net.exe	49
PID 2236 wrote to memory of 2272	2236	net.exe	49
PID 1636 wrote to memory of 8748	1636	XqBtfkc.exe	51
PID 1636 wrote to memory of 8748	1636	XqBtfkc.exe	51

C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
"C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
  "C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\XqBtfkc.exe
    "C:\Users\Admin\AppData\Local\Temp\XqBtfkc.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\XqBtfkc.exe
      "C:\Users\Admin\AppData\Local\Temp\XqBtfkc.exe" 8 LAN
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:8748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
        5⤵
        
        PID:9224
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:9288
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "D:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:8740
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:9344
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:9372
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:58284
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:58316
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:110460
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:110880
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:324
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1836
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1952
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2272
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:54188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:53848
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:54248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:53780
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:90780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:90804
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:93936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:94480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-60-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/764-65-0x0000000001CB0000-0x0000000001CE8000-memory.dmp

Filesize
224KB

Download
memory/956-54-0x0000000076891000-0x0000000076893000-memory.dmp

Filesize
8KB

Download
memory/956-58-0x00000000003B0000-0x00000000003E6000-memory.dmp

Filesize
216KB

Download
memory/956-55-0x0000000000480000-0x00000000004B8000-memory.dmp

Filesize
224KB

Download
memory/1636-72-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/1636-131-0x000000004F580000-0x000000004F6A4000-memory.dmp

Filesize
1.1MB

Download