ryuk | ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d

Analysis

max time kernel
301s
max time network
86s
platform
windows7_x64
resource
win7v20210410
submitted
22-04-2021 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
Size

272KB
MD5

975f776f11c6d36621ba5a9da6151aa2
SHA1

9b40b0d3b228d9e958c8d45fb8cec64c6851d113
SHA256

ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d
SHA512

6d0bae9d7b4147010542ac28ba36b151d22e2a30a63ec6ac37fa112230cd575a830b23ac389a394ad3bf9cb8293869c30be8cc92614e9bab31b366155bf6edc4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '2neBqEej6'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
752	SgynEYsVSrep.exe
1080	NPlzDTOxIlan.exe
2612	xipxMEfLGlan.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MergeUpdate.tiff.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeEnter.crw.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockComplete.crw.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe

Loads dropped DLL 6 IoCs

pid	Process
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2692	icacls.exe
2704	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\G:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\B:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\U:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\S:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\O:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\M:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\L:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\K:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\E:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\V:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\T:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\R:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\P:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\X:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\Q:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\J:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\H:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\F:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\Z:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\Y:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\W:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened (read-only)	\??\N:	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106020.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay.css.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\THOCRAPI.DLL.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_F_COL.HXK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\RyukReadMe.html	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\RyukReadMe.html	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102984.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONFLICT.ICO.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.LTS	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Aspect.eftx	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00272_.WMF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif.RYK	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3464	SCHTASKS.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 752	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	29
PID 2020 wrote to memory of 752	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	29
PID 2020 wrote to memory of 752	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	29
PID 2020 wrote to memory of 752	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	29
PID 2020 wrote to memory of 1080	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	30
PID 2020 wrote to memory of 1080	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	30
PID 2020 wrote to memory of 1080	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	30
PID 2020 wrote to memory of 1080	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	30
PID 2020 wrote to memory of 2612	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	31
PID 2020 wrote to memory of 2612	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	31
PID 2020 wrote to memory of 2612	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	31
PID 2020 wrote to memory of 2612	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	31
PID 2020 wrote to memory of 2692	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	32
PID 2020 wrote to memory of 2692	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	32
PID 2020 wrote to memory of 2692	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	32
PID 2020 wrote to memory of 2692	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	32
PID 2020 wrote to memory of 2704	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	33
PID 2020 wrote to memory of 2704	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	33
PID 2020 wrote to memory of 2704	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	33
PID 2020 wrote to memory of 2704	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	33
PID 2020 wrote to memory of 2964	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	36
PID 2020 wrote to memory of 2964	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	36
PID 2020 wrote to memory of 2964	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	36
PID 2020 wrote to memory of 2964	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	36
PID 2020 wrote to memory of 2728	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	37
PID 2020 wrote to memory of 2728	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	37
PID 2020 wrote to memory of 2728	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	37
PID 2020 wrote to memory of 2728	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	37
PID 2728 wrote to memory of 2792	2728	net.exe	41
PID 2728 wrote to memory of 2792	2728	net.exe	41
PID 2728 wrote to memory of 2792	2728	net.exe	41
PID 2728 wrote to memory of 2792	2728	net.exe	41
PID 2964 wrote to memory of 2852	2964	net.exe	40
PID 2964 wrote to memory of 2852	2964	net.exe	40
PID 2964 wrote to memory of 2852	2964	net.exe	40
PID 2964 wrote to memory of 2852	2964	net.exe	40
PID 2020 wrote to memory of 3104	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	43
PID 2020 wrote to memory of 3104	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	43
PID 2020 wrote to memory of 3104	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	43
PID 2020 wrote to memory of 3104	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	43
PID 2020 wrote to memory of 3112	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	42
PID 2020 wrote to memory of 3112	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	42
PID 2020 wrote to memory of 3112	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	42
PID 2020 wrote to memory of 3112	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	42
PID 3104 wrote to memory of 3164	3104	net.exe	46
PID 3104 wrote to memory of 3164	3104	net.exe	46
PID 3104 wrote to memory of 3164	3104	net.exe	46
PID 3104 wrote to memory of 3164	3104	net.exe	46
PID 3112 wrote to memory of 3188	3112	net.exe	47
PID 3112 wrote to memory of 3188	3112	net.exe	47
PID 3112 wrote to memory of 3188	3112	net.exe	47
PID 3112 wrote to memory of 3188	3112	net.exe	47
PID 2020 wrote to memory of 7156	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	54
PID 2020 wrote to memory of 7156	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	54
PID 2020 wrote to memory of 7156	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	54
PID 2020 wrote to memory of 7156	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	54
PID 2020 wrote to memory of 6848	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	53
PID 2020 wrote to memory of 6848	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	53
PID 2020 wrote to memory of 6848	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	53
PID 2020 wrote to memory of 6848	2020	9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe	53
PID 6848 wrote to memory of 596	6848	net.exe	58
PID 6848 wrote to memory of 596	6848	net.exe	58
PID 6848 wrote to memory of 596	6848	net.exe	58
PID 6848 wrote to memory of 596	6848	net.exe	58

C:\Users\Admin\AppData\Local\Temp\9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe
"C:\Users\Admin\AppData\Local\Temp\9b40b0d3b228d9e958c8d45fb8cec64c6851d113.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\SgynEYsVSrep.exe
  "C:\Users\Admin\AppData\Local\Temp\SgynEYsVSrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Users\Admin\AppData\Local\Temp\NPlzDTOxIlan.exe
  "C:\Users\Admin\AppData\Local\Temp\NPlzDTOxIlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\xipxMEfLGlan.exe
  "C:\Users\Admin\AppData\Local\Temp\xipxMEfLGlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2692
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2704
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3188
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3164
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:7156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:7116
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrintEx" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\mTzXe.dll" /ST 10:25 /SD 04/23/2021 /ED 04/30/2021
  2⤵
  - Creates scheduled task(s)
  PID:3464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:8812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:8836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8880

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-68-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1080-75-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1092-149-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2020-60-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2020-62-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/2612-82-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download