ryuk | aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

Analysis

max time kernel
154s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-03-2022 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Size

808KB
MD5

50cc057a164640715e70a43979175a3f
SHA1

690d83a764b7f4b65232e25c410c02cc5901ad72
SHA256

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
SHA512

ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
2304	qydJmMi.exe
1472	qydJmMi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	qydJmMi.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened (read-only)	\??\A:	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	81
PID 2304 set thread context of 1472	2304	qydJmMi.exe	93

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
16812	1472	WerFault.exe	93

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1472	qydJmMi.exe
1472	qydJmMi.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
2304	qydJmMi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Token: SeBackupPrivilege	1472	qydJmMi.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
2304	qydJmMi.exe
2304	qydJmMi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	81
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	81
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	81
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	81
PID 620 wrote to memory of 2304	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	84
PID 620 wrote to memory of 2304	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	84
PID 620 wrote to memory of 2304	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	84
PID 620 wrote to memory of 2716	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	85
PID 620 wrote to memory of 2716	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	85
PID 620 wrote to memory of 2716	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	85
PID 620 wrote to memory of 3860	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	87
PID 620 wrote to memory of 3860	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	87
PID 620 wrote to memory of 3860	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	87
PID 2716 wrote to memory of 3788	2716	net.exe	90
PID 2716 wrote to memory of 3788	2716	net.exe	90
PID 2716 wrote to memory of 3788	2716	net.exe	90
PID 3860 wrote to memory of 4704	3860	net.exe	91
PID 3860 wrote to memory of 4704	3860	net.exe	91
PID 3860 wrote to memory of 4704	3860	net.exe	91
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	93
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	93
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	93
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	93
PID 620 wrote to memory of 4560	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	95
PID 620 wrote to memory of 4560	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	95
PID 620 wrote to memory of 4560	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	95
PID 4560 wrote to memory of 3048	4560	net.exe	98
PID 4560 wrote to memory of 3048	4560	net.exe	98
PID 4560 wrote to memory of 3048	4560	net.exe	98
PID 620 wrote to memory of 4328	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	99
PID 620 wrote to memory of 4328	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	99
PID 620 wrote to memory of 4328	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	99
PID 4328 wrote to memory of 1900	4328	net.exe	101
PID 4328 wrote to memory of 1900	4328	net.exe	101
PID 4328 wrote to memory of 1900	4328	net.exe	101
PID 1472 wrote to memory of 3572	1472	qydJmMi.exe	102
PID 1472 wrote to memory of 3572	1472	qydJmMi.exe	102
PID 1472 wrote to memory of 3572	1472	qydJmMi.exe	102
PID 3572 wrote to memory of 5244	3572	net.exe	105
PID 3572 wrote to memory of 5244	3572	net.exe	105
PID 3572 wrote to memory of 5244	3572	net.exe	105
PID 620 wrote to memory of 15872	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	111
PID 620 wrote to memory of 15872	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	111
PID 620 wrote to memory of 15872	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	111
PID 15872 wrote to memory of 16924	15872	net.exe	113
PID 15872 wrote to memory of 16924	15872	net.exe	113
PID 15872 wrote to memory of 16924	15872	net.exe	113
PID 620 wrote to memory of 17544	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	115
PID 620 wrote to memory of 17544	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	115
PID 620 wrote to memory of 17544	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	115
PID 17544 wrote to memory of 17824	17544	net.exe	117
PID 17544 wrote to memory of 17824	17544	net.exe	117
PID 17544 wrote to memory of 17824	17544	net.exe	117
PID 620 wrote to memory of 11848	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	122
PID 620 wrote to memory of 11848	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	122
PID 620 wrote to memory of 11848	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	122
PID 11848 wrote to memory of 11900	11848	net.exe	124
PID 11848 wrote to memory of 11900	11848	net.exe	124
PID 11848 wrote to memory of 11900	11848	net.exe	124
PID 620 wrote to memory of 12924	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	126
PID 620 wrote to memory of 12924	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	126
PID 620 wrote to memory of 12924	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	126
PID 12924 wrote to memory of 12976	12924	net.exe	128
PID 12924 wrote to memory of 12976	12924	net.exe	128

C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
"C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
  "C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
    "C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
      "C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe" 8 LAN
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:5244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 8264
        5⤵
        Program crash
        
        PID:16812
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:3788
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:15872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:16924
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:17544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:17824
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:11848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:11900
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:12924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:12976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1472 -ip 1472
1⤵
PID:15476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-131-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1472-135-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/3696-130-0x0000000002300000-0x0000000002333000-memory.dmp

Filesize
204KB

Download