ryuk | 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2

Resubmissions

11/06/2021, 09:25

210611-4ldscwwnln 10

11/06/2021, 09:21

210611-h2e98z629s 8

Analysis

max time kernel
561s
max time network
392s
platform
windows10_x64
resource
win10v20210410
submitted
11/06/2021, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
Size

304KB
MD5

b38db96edbdac1684268b98c8dcffce7
SHA1

88d410bfa5810af0b3c6add7b4911f7a57ea7213
SHA256

095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2
SHA512

bee65541a8f563d793e6be861ad7e92183c6cfd36e14e558a9c01267d26c759cbc0871bfd6b66c692dfd2161df42705e9db2d9de2ad45d66471b36a4426eaaa3

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'yxFS7vMc'; $torlink = 'http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
344	1073r.exe
3908	arkzUTEJPlan.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MoveMerge.crw => C:\Users\Admin\Pictures\MoveMerge.crw.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File renamed	C:\Users\Admin\Pictures\SaveExpand.png => C:\Users\Admin\Pictures\SaveExpand.png.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Users\Admin\Pictures\LockCheckpoint.tiff.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Users\Admin\Pictures\MoveMerge.crw.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Users\Admin\Pictures\SaveExpand.png.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Users\Admin\Pictures\LockCheckpoint.tiff	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File renamed	C:\Users\Admin\Pictures\LockCheckpoint.tiff => C:\Users\Admin\Pictures\LockCheckpoint.tiff.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\I:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\B:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Q:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\P:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\X:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\S:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\L:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\G:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\F:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\E:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Z:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Y:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\U:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\R:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\O:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\M:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\J:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\H:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\W:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\V:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\T:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\N:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Stars.htm	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\FM20.DLL	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.RYK	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2692	svchost.exe
Token: SeTcbPrivilege	2692	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 344	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	80
PID 3916 wrote to memory of 344	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	80
PID 3916 wrote to memory of 344	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	80
PID 3916 wrote to memory of 3908	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	81
PID 3916 wrote to memory of 3908	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	81
PID 3916 wrote to memory of 3908	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	81
PID 3916 wrote to memory of 3156	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	89
PID 3916 wrote to memory of 3156	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	89
PID 3916 wrote to memory of 3156	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	89
PID 3916 wrote to memory of 2168	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	82
PID 3916 wrote to memory of 2168	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	82
PID 3916 wrote to memory of 2168	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	82
PID 3916 wrote to memory of 3740	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	88
PID 3916 wrote to memory of 3740	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	88
PID 3916 wrote to memory of 3740	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	88
PID 3916 wrote to memory of 2104	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	85
PID 3916 wrote to memory of 2104	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	85
PID 3916 wrote to memory of 2104	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	85
PID 3916 wrote to memory of 1116	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	90
PID 3916 wrote to memory of 1116	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	90
PID 3916 wrote to memory of 1168	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	91
PID 3916 wrote to memory of 1116	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	90
PID 3916 wrote to memory of 1168	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	91
PID 3916 wrote to memory of 1168	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	91
PID 2104 wrote to memory of 3812	2104	net.exe	94
PID 2104 wrote to memory of 3812	2104	net.exe	94
PID 2104 wrote to memory of 3812	2104	net.exe	94
PID 3156 wrote to memory of 3976	3156	net.exe	97
PID 3156 wrote to memory of 3976	3156	net.exe	97
PID 3156 wrote to memory of 3976	3156	net.exe	97
PID 2168 wrote to memory of 1900	2168	net.exe	96
PID 2168 wrote to memory of 1900	2168	net.exe	96
PID 2168 wrote to memory of 1900	2168	net.exe	96
PID 3740 wrote to memory of 2004	3740	net.exe	95
PID 3740 wrote to memory of 2004	3740	net.exe	95
PID 3740 wrote to memory of 2004	3740	net.exe	95
PID 1168 wrote to memory of 1308	1168	net.exe	99
PID 1168 wrote to memory of 1308	1168	net.exe	99
PID 1168 wrote to memory of 1308	1168	net.exe	99
PID 1116 wrote to memory of 3980	1116	net.exe	98
PID 1116 wrote to memory of 3980	1116	net.exe	98
PID 1116 wrote to memory of 3980	1116	net.exe	98
PID 3916 wrote to memory of 8720	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	102
PID 3916 wrote to memory of 8856	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	103
PID 3916 wrote to memory of 8720	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	102
PID 3916 wrote to memory of 8720	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	102
PID 3916 wrote to memory of 8856	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	103
PID 3916 wrote to memory of 8856	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	103
PID 8720 wrote to memory of 8892	8720	net.exe	107
PID 8720 wrote to memory of 8892	8720	net.exe	107
PID 8720 wrote to memory of 8892	8720	net.exe	107
PID 8856 wrote to memory of 8680	8856	net.exe	106
PID 8856 wrote to memory of 8680	8856	net.exe	106
PID 8856 wrote to memory of 8680	8856	net.exe	106
PID 3916 wrote to memory of 8860	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	108
PID 3916 wrote to memory of 8860	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	108
PID 3916 wrote to memory of 8860	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	108
PID 3916 wrote to memory of 8568	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	109
PID 3916 wrote to memory of 8568	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	109
PID 3916 wrote to memory of 8568	3916	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	109
PID 8860 wrote to memory of 8684	8860	net.exe	112
PID 8860 wrote to memory of 8684	8860	net.exe	112
PID 8860 wrote to memory of 8684	8860	net.exe	112
PID 8568 wrote to memory of 8776	8568	net.exe	113

C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
"C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Users\Admin\AppData\Local\Temp\arkzUTEJPlan.exe
  "C:\Users\Admin\AppData\Local\Temp\arkzUTEJPlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1900
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3812
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:3980
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:1308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8892
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:8684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:8776

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-123-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/344-122-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/3908-125-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3908-124-0x0000000000550000-0x0000000000576000-memory.dmp

Filesize
152KB

Download
memory/3916-114-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/3916-115-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download