ryuk | 9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a

Analysis

max time kernel
4294129s
max time network
125s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
Size

444KB
MD5

1fe2b06f573c1809a79c14da0f26f605
SHA1

dc137d2c45d47d62449860f76f57dd85d34d122e
SHA256

9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a
SHA512

10070abdc4320702b3a76b229a41dc2118ec5bc42af488c5db7d3381f43f38b40f47a7b624ac623c0f8da76e5bb6f7922668ae2af6a1af8c464b82836b6c7ca1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
688	kPnrPaX.exe
564	kPnrPaX.exe

Loads dropped DLL 3 IoCs

pid	Process
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
688	kPnrPaX.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
316	icacls.exe
1616	icacls.exe
9040	icacls.exe
9048	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 908	1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	27
PID 688 set thread context of 564	688	kPnrPaX.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql70.xsl	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292270.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00405_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105234.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02009_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00419_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02371_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\RyukReadMe.html	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Verve.eftx	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234657.WMF	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1016	vssadmin.exe
9204	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
564	kPnrPaX.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe
564	kPnrPaX.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
688	kPnrPaX.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
Token: SeBackupPrivilege	1956	vssvc.exe
Token: SeRestorePrivilege	1956	vssvc.exe
Token: SeAuditPrivilege	1956	vssvc.exe
Token: SeBackupPrivilege	564	kPnrPaX.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
688	kPnrPaX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 908	1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	27
PID 1096 wrote to memory of 908	1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	27
PID 1096 wrote to memory of 908	1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	27
PID 1096 wrote to memory of 908	1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	27
PID 1096 wrote to memory of 908	1096	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	27
PID 908 wrote to memory of 688	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	28
PID 908 wrote to memory of 688	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	28
PID 908 wrote to memory of 688	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	28
PID 908 wrote to memory of 688	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	28
PID 688 wrote to memory of 564	688	kPnrPaX.exe	29
PID 688 wrote to memory of 564	688	kPnrPaX.exe	29
PID 688 wrote to memory of 564	688	kPnrPaX.exe	29
PID 688 wrote to memory of 564	688	kPnrPaX.exe	29
PID 688 wrote to memory of 564	688	kPnrPaX.exe	29
PID 908 wrote to memory of 1632	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	30
PID 908 wrote to memory of 1632	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	30
PID 908 wrote to memory of 1632	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	30
PID 908 wrote to memory of 1632	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	30
PID 1632 wrote to memory of 1968	1632	net.exe	32
PID 1632 wrote to memory of 1968	1632	net.exe	32
PID 1632 wrote to memory of 1968	1632	net.exe	32
PID 1632 wrote to memory of 1968	1632	net.exe	32
PID 908 wrote to memory of 748	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	33
PID 908 wrote to memory of 748	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	33
PID 908 wrote to memory of 748	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	33
PID 908 wrote to memory of 748	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	33
PID 748 wrote to memory of 1756	748	net.exe	35
PID 748 wrote to memory of 1756	748	net.exe	35
PID 748 wrote to memory of 1756	748	net.exe	35
PID 748 wrote to memory of 1756	748	net.exe	35
PID 908 wrote to memory of 316	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	36
PID 908 wrote to memory of 316	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	36
PID 908 wrote to memory of 316	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	36
PID 908 wrote to memory of 316	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	36
PID 908 wrote to memory of 1616	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	37
PID 908 wrote to memory of 1616	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	37
PID 908 wrote to memory of 1616	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	37
PID 908 wrote to memory of 1616	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	37
PID 908 wrote to memory of 1368	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	39
PID 908 wrote to memory of 1368	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	39
PID 908 wrote to memory of 1368	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	39
PID 908 wrote to memory of 1368	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	39
PID 1368 wrote to memory of 1016	1368	cmd.exe	42
PID 1368 wrote to memory of 1016	1368	cmd.exe	42
PID 1368 wrote to memory of 1016	1368	cmd.exe	42
PID 1368 wrote to memory of 1016	1368	cmd.exe	42
PID 908 wrote to memory of 1752	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	44
PID 908 wrote to memory of 1752	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	44
PID 908 wrote to memory of 1752	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	44
PID 908 wrote to memory of 1752	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	44
PID 1752 wrote to memory of 2156	1752	net.exe	46
PID 1752 wrote to memory of 2156	1752	net.exe	46
PID 1752 wrote to memory of 2156	1752	net.exe	46
PID 1752 wrote to memory of 2156	1752	net.exe	46
PID 908 wrote to memory of 2236	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	47
PID 908 wrote to memory of 2236	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	47
PID 908 wrote to memory of 2236	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	47
PID 908 wrote to memory of 2236	908	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	47
PID 2236 wrote to memory of 2512	2236	net.exe	49
PID 2236 wrote to memory of 2512	2236	net.exe	49
PID 2236 wrote to memory of 2512	2236	net.exe	49
PID 2236 wrote to memory of 2512	2236	net.exe	49
PID 564 wrote to memory of 9040	564	kPnrPaX.exe	51
PID 564 wrote to memory of 9040	564	kPnrPaX.exe	51

C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
"C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
  "C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\kPnrPaX.exe
    "C:\Users\Admin\AppData\Local\Temp\kPnrPaX.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\kPnrPaX.exe
      "C:\Users\Admin\AppData\Local\Temp\kPnrPaX.exe" 8 LAN
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:9040
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "D:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:9048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
        5⤵
        
        PID:9064
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:9204
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:9076
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:9064
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:118672
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:118696
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:316
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1016
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:51720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:51868
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:57268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:56928
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:108904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:109032
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:112720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:113012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-74-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/688-65-0x0000000000790000-0x00000000007C7000-memory.dmp

Filesize
220KB

Download
memory/908-69-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/1096-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1096-60-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download
memory/1096-55-0x0000000000500000-0x0000000000537000-memory.dmp

Filesize
220KB

Download