Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
561s -
max time network
392s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11/06/2021, 09:25
Static task
static1
Behavioral task
behavioral1
Sample
095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
Resource
win10v20210410
General
-
Target
095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
-
Size
304KB
-
MD5
b38db96edbdac1684268b98c8dcffce7
-
SHA1
88d410bfa5810af0b3c6add7b4911f7a57ea7213
-
SHA256
095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2
-
SHA512
bee65541a8f563d793e6be861ad7e92183c6cfd36e14e558a9c01267d26c759cbc0871bfd6b66c692dfd2161df42705e9db2d9de2ad45d66471b36a4426eaaa3
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 2 IoCs
pid Process 344 1073r.exe 3908 arkzUTEJPlan.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\MoveMerge.crw => C:\Users\Admin\Pictures\MoveMerge.crw.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File renamed C:\Users\Admin\Pictures\SaveExpand.png => C:\Users\Admin\Pictures\SaveExpand.png.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Users\Admin\Pictures\LockCheckpoint.tiff.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Users\Admin\Pictures\MoveMerge.crw.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Users\Admin\Pictures\SaveExpand.png.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Users\Admin\Pictures\LockCheckpoint.tiff 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File renamed C:\Users\Admin\Pictures\LockCheckpoint.tiff => C:\Users\Admin\Pictures\LockCheckpoint.tiff.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\I: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\B: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\Q: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\P: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\X: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\S: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\L: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\G: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\F: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\E: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\Z: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\Y: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\U: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\R: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\O: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\M: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\J: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\H: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\W: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\V: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\T: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened (read-only) \??\N: 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Stars.htm 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Common Files\System\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\local_policy.jar 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\FM20.DLL 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.RYK 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RyukReadMe.html 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTcbPrivilege 2692 svchost.exe Token: SeTcbPrivilege 2692 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 344 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 80 PID 3916 wrote to memory of 344 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 80 PID 3916 wrote to memory of 344 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 80 PID 3916 wrote to memory of 3908 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 81 PID 3916 wrote to memory of 3908 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 81 PID 3916 wrote to memory of 3908 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 81 PID 3916 wrote to memory of 3156 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 89 PID 3916 wrote to memory of 3156 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 89 PID 3916 wrote to memory of 3156 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 89 PID 3916 wrote to memory of 2168 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 82 PID 3916 wrote to memory of 2168 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 82 PID 3916 wrote to memory of 2168 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 82 PID 3916 wrote to memory of 3740 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 88 PID 3916 wrote to memory of 3740 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 88 PID 3916 wrote to memory of 3740 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 88 PID 3916 wrote to memory of 2104 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 85 PID 3916 wrote to memory of 2104 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 85 PID 3916 wrote to memory of 2104 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 85 PID 3916 wrote to memory of 1116 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 90 PID 3916 wrote to memory of 1116 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 90 PID 3916 wrote to memory of 1168 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 91 PID 3916 wrote to memory of 1116 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 90 PID 3916 wrote to memory of 1168 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 91 PID 3916 wrote to memory of 1168 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 91 PID 2104 wrote to memory of 3812 2104 net.exe 94 PID 2104 wrote to memory of 3812 2104 net.exe 94 PID 2104 wrote to memory of 3812 2104 net.exe 94 PID 3156 wrote to memory of 3976 3156 net.exe 97 PID 3156 wrote to memory of 3976 3156 net.exe 97 PID 3156 wrote to memory of 3976 3156 net.exe 97 PID 2168 wrote to memory of 1900 2168 net.exe 96 PID 2168 wrote to memory of 1900 2168 net.exe 96 PID 2168 wrote to memory of 1900 2168 net.exe 96 PID 3740 wrote to memory of 2004 3740 net.exe 95 PID 3740 wrote to memory of 2004 3740 net.exe 95 PID 3740 wrote to memory of 2004 3740 net.exe 95 PID 1168 wrote to memory of 1308 1168 net.exe 99 PID 1168 wrote to memory of 1308 1168 net.exe 99 PID 1168 wrote to memory of 1308 1168 net.exe 99 PID 1116 wrote to memory of 3980 1116 net.exe 98 PID 1116 wrote to memory of 3980 1116 net.exe 98 PID 1116 wrote to memory of 3980 1116 net.exe 98 PID 3916 wrote to memory of 8720 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 102 PID 3916 wrote to memory of 8856 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 103 PID 3916 wrote to memory of 8720 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 102 PID 3916 wrote to memory of 8720 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 102 PID 3916 wrote to memory of 8856 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 103 PID 3916 wrote to memory of 8856 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 103 PID 8720 wrote to memory of 8892 8720 net.exe 107 PID 8720 wrote to memory of 8892 8720 net.exe 107 PID 8720 wrote to memory of 8892 8720 net.exe 107 PID 8856 wrote to memory of 8680 8856 net.exe 106 PID 8856 wrote to memory of 8680 8856 net.exe 106 PID 8856 wrote to memory of 8680 8856 net.exe 106 PID 3916 wrote to memory of 8860 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 108 PID 3916 wrote to memory of 8860 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 108 PID 3916 wrote to memory of 8860 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 108 PID 3916 wrote to memory of 8568 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 109 PID 3916 wrote to memory of 8568 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 109 PID 3916 wrote to memory of 8568 3916 095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe 109 PID 8860 wrote to memory of 8684 8860 net.exe 112 PID 8860 wrote to memory of 8684 8860 net.exe 112 PID 8860 wrote to memory of 8684 8860 net.exe 112 PID 8568 wrote to memory of 8776 8568 net.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe"C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\1073r.exe"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP2⤵
- Executes dropped EXE
PID:344
-
-
C:\Users\Admin\AppData\Local\Temp\arkzUTEJPlan.exe"C:\Users\Admin\AppData\Local\Temp\arkzUTEJPlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1900
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:3812
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:3976
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "coremessagingregistrar" /y3⤵PID:3980
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "coremessagingregistrar" /y3⤵PID:1308
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:8720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8892
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:8856 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:8680
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y2⤵
- Suspicious use of WriteProcessMemory
PID:8860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "coremessagingregistrar" /y3⤵PID:8684
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y2⤵
- Suspicious use of WriteProcessMemory
PID:8568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "coremessagingregistrar" /y3⤵PID:8776
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692