ryuk | aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

Analysis

max time kernel
163s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-03-2022 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Size

808KB
MD5

50cc057a164640715e70a43979175a3f
SHA1

690d83a764b7f4b65232e25c410c02cc5901ad72
SHA256

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
SHA512

ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
1408	WZcPXBA.exe
1400	WZcPXBA.exe

Loads dropped DLL 3 IoCs

pid	Process
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1408	WZcPXBA.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened (read-only)	\??\A:	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 304	1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	27
PID 1408 set thread context of 1400	1408	WZcPXBA.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XML2WORD.XSL	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153398.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107750.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.ELM	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.DPV	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Couture.eftx	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01006_.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Games\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00452_.WMF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1400	WZcPXBA.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
1400	WZcPXBA.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1400	WZcPXBA.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1408	WZcPXBA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Token: SeBackupPrivilege	1400	WZcPXBA.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1408	WZcPXBA.exe
1408	WZcPXBA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 304	1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	27
PID 1772 wrote to memory of 304	1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	27
PID 1772 wrote to memory of 304	1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	27
PID 1772 wrote to memory of 304	1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	27
PID 1772 wrote to memory of 304	1772	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	27
PID 304 wrote to memory of 1408	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	28
PID 304 wrote to memory of 1408	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	28
PID 304 wrote to memory of 1408	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	28
PID 304 wrote to memory of 1408	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	28
PID 1408 wrote to memory of 1400	1408	WZcPXBA.exe	29
PID 1408 wrote to memory of 1400	1408	WZcPXBA.exe	29
PID 1408 wrote to memory of 1400	1408	WZcPXBA.exe	29
PID 1408 wrote to memory of 1400	1408	WZcPXBA.exe	29
PID 1408 wrote to memory of 1400	1408	WZcPXBA.exe	29
PID 304 wrote to memory of 1440	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	30
PID 304 wrote to memory of 1440	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	30
PID 304 wrote to memory of 1440	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	30
PID 304 wrote to memory of 1440	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	30
PID 304 wrote to memory of 364	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	32
PID 304 wrote to memory of 364	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	32
PID 304 wrote to memory of 364	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	32
PID 304 wrote to memory of 364	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	32
PID 1440 wrote to memory of 1684	1440	net.exe	34
PID 1440 wrote to memory of 1684	1440	net.exe	34
PID 1440 wrote to memory of 1684	1440	net.exe	34
PID 1440 wrote to memory of 1684	1440	net.exe	34
PID 364 wrote to memory of 1696	364	net.exe	35
PID 364 wrote to memory of 1696	364	net.exe	35
PID 364 wrote to memory of 1696	364	net.exe	35
PID 364 wrote to memory of 1696	364	net.exe	35
PID 304 wrote to memory of 1088	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	36
PID 304 wrote to memory of 1088	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	36
PID 304 wrote to memory of 1088	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	36
PID 304 wrote to memory of 1088	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	36
PID 1088 wrote to memory of 1812	1088	net.exe	38
PID 1088 wrote to memory of 1812	1088	net.exe	38
PID 1088 wrote to memory of 1812	1088	net.exe	38
PID 1088 wrote to memory of 1812	1088	net.exe	38
PID 304 wrote to memory of 1836	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	39
PID 304 wrote to memory of 1836	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	39
PID 304 wrote to memory of 1836	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	39
PID 304 wrote to memory of 1836	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	39
PID 1836 wrote to memory of 1392	1836	net.exe	41
PID 1836 wrote to memory of 1392	1836	net.exe	41
PID 1836 wrote to memory of 1392	1836	net.exe	41
PID 1836 wrote to memory of 1392	1836	net.exe	41
PID 1400 wrote to memory of 2220	1400	WZcPXBA.exe	42
PID 1400 wrote to memory of 2220	1400	WZcPXBA.exe	42
PID 1400 wrote to memory of 2220	1400	WZcPXBA.exe	42
PID 1400 wrote to memory of 2220	1400	WZcPXBA.exe	42
PID 2220 wrote to memory of 2252	2220	net.exe	44
PID 2220 wrote to memory of 2252	2220	net.exe	44
PID 2220 wrote to memory of 2252	2220	net.exe	44
PID 2220 wrote to memory of 2252	2220	net.exe	44
PID 304 wrote to memory of 22508	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	48
PID 304 wrote to memory of 22508	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	48
PID 304 wrote to memory of 22508	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	48
PID 304 wrote to memory of 22508	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	48
PID 22508 wrote to memory of 22456	22508	net.exe	50
PID 22508 wrote to memory of 22456	22508	net.exe	50
PID 22508 wrote to memory of 22456	22508	net.exe	50
PID 22508 wrote to memory of 22456	22508	net.exe	50
PID 304 wrote to memory of 28496	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	51
PID 304 wrote to memory of 28496	304	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	51

C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
"C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
  "C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
    "C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
      "C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe" 8 LAN
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:73872
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:73900
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:1812
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1392
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:22508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:22456
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:28496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:28428
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:66508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:66532
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:69032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:69056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-58-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1400-67-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1772-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1772-56-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download