ryuk | ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-03-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
Size

118KB
MD5

a31089dc3cafe77c39268273d689193b
SHA1

032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512

d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'N2QvTsXamJ'; $torlink = 'http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
576	XJgJijnKVrep.exe
316	ypXbiYOlylan.exe
1004	uIvPQsuPalan.exe

Loads dropped DLL 6 IoCs

pid	Process
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
22084	icacls.exe
22092	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Noronha	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\RemoveSkip.ogg	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	27
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	27
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	27
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	27
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	28
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	28
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	28
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	28
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	29
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	29
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	29
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	29
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	30
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	30
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	30
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	30
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	31
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	31
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	31
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	31
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	36
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	36
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	36
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	36
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	37
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	37
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	37
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	37
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	40
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	40
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	40
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	40
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	42
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	42
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	42
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	42
PID 46948 wrote to memory of 51100	46948	net.exe	45
PID 46948 wrote to memory of 51100	46948	net.exe	45
PID 46948 wrote to memory of 51100	46948	net.exe	45
PID 46948 wrote to memory of 51100	46948	net.exe	45
PID 46896 wrote to memory of 51092	46896	net.exe	46
PID 46896 wrote to memory of 51092	46896	net.exe	46
PID 46896 wrote to memory of 51092	46896	net.exe	46
PID 46896 wrote to memory of 51092	46896	net.exe	46
PID 46956 wrote to memory of 51108	46956	net.exe	44
PID 46956 wrote to memory of 51108	46956	net.exe	44
PID 46956 wrote to memory of 51108	46956	net.exe	44
PID 46956 wrote to memory of 51108	46956	net.exe	44
PID 46888 wrote to memory of 51136	46888	net.exe	47
PID 46888 wrote to memory of 51136	46888	net.exe	47
PID 46888 wrote to memory of 51136	46888	net.exe	47
PID 46888 wrote to memory of 51136	46888	net.exe	47

C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
"C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe
  "C:\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe
  "C:\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe
  "C:\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:22084
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:22092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:51092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:51136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:51100
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:51108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download