Analysis
-
max time kernel
176s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Resource
win10v2004-20220812-en
General
-
Target
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
-
Size
119KB
-
MD5
c68395e474088d5339972e2bf5a30f3c
-
SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3
-
SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
-
SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
SSDEEP
1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 2144 eKOOBlncorep.exe 4644 pxpvXGULvlan.exe 11744 pnCURCWNSlan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 36396 icacls.exe 36408 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\currency.data 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 205712 11744 WerFault.exe 85 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2144 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 83 PID 4888 wrote to memory of 2144 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 83 PID 4888 wrote to memory of 2144 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 83 PID 4888 wrote to memory of 4644 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 84 PID 4888 wrote to memory of 4644 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 84 PID 4888 wrote to memory of 4644 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 84 PID 4888 wrote to memory of 11744 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 85 PID 4888 wrote to memory of 11744 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 85 PID 4888 wrote to memory of 11744 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 85 PID 4888 wrote to memory of 36396 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 90 PID 4888 wrote to memory of 36396 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 90 PID 4888 wrote to memory of 36396 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 90 PID 4888 wrote to memory of 36408 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 91 PID 4888 wrote to memory of 36408 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 91 PID 4888 wrote to memory of 36408 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 91 PID 4888 wrote to memory of 74388 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 98 PID 4888 wrote to memory of 74388 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 98 PID 4888 wrote to memory of 74388 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 98 PID 4888 wrote to memory of 74400 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 99 PID 4888 wrote to memory of 74400 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 99 PID 4888 wrote to memory of 74400 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 99 PID 4888 wrote to memory of 74556 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 102 PID 4888 wrote to memory of 74556 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 102 PID 4888 wrote to memory of 74556 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 102 PID 4888 wrote to memory of 74548 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 103 PID 4888 wrote to memory of 74548 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 103 PID 4888 wrote to memory of 74548 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 103 PID 74388 wrote to memory of 78252 74388 net.exe 109 PID 74388 wrote to memory of 78252 74388 net.exe 109 PID 74388 wrote to memory of 78252 74388 net.exe 109 PID 74556 wrote to memory of 78268 74556 net.exe 108 PID 74556 wrote to memory of 78268 74556 net.exe 108 PID 74556 wrote to memory of 78268 74556 net.exe 108 PID 74548 wrote to memory of 78260 74548 net.exe 107 PID 74548 wrote to memory of 78260 74548 net.exe 107 PID 74548 wrote to memory of 78260 74548 net.exe 107 PID 74400 wrote to memory of 78276 74400 net.exe 106 PID 74400 wrote to memory of 78276 74400 net.exe 106 PID 74400 wrote to memory of 78276 74400 net.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe"C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe" 9 REP2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe"C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe"C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:11744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11744 -s 135323⤵
- Program crash
PID:205712
-
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:36396
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:36408
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:74388 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:78252
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:74400 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:78276
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:74556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:78268
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:74548 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:78260
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 11744 -ip 117441⤵PID:196784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
8KB
MD5bdd2373e6fe9c2b28e334ec8ee0c49a6
SHA1ed616bfc377bfd1cc55efd6e6943d75e5e50a043
SHA2565cf1f6517b6373b1d37dfe9fb28cd0385061e007c349eb5f35717ce64baf0ee7
SHA512149d6690406941ec9dde363e14cb6a8808134e13a9e569448a7928587d4d6c738c1461471751c3a803e55787471ee99e71a24348e1aeebf756e5fd6f6d833e33
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
Filesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
Filesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
Filesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
Filesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
Filesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
Filesize
978B
MD51edd6777d04d26fecd25b751796ec078
SHA16ce0df88f834834f317cbd473d11b113ba9df50a
SHA2569b945b750a87cad966a682e51e6da3d3ade9bfb9556e5a5a3772b581a928ee1c
SHA512c44aa048b645357d36828e363dd1ae0105e9d7b0c30ae23d0c6679c495b090ded40cd9610ee85a9a6ae3393c5b3520d6f3c2f27de950a55a7d1f2bb6d71c130a
-
Filesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15