095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2

Resubmissions

11-06-2021 09:25

210611-4ldscwwnln 10

11-06-2021 09:21

210611-h2e98z629s 8

Analysis

max time kernel
81s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
11-06-2021 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
Size

304KB
MD5

b38db96edbdac1684268b98c8dcffce7
SHA1

88d410bfa5810af0b3c6add7b4911f7a57ea7213
SHA256

095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2
SHA512

bee65541a8f563d793e6be861ad7e92183c6cfd36e14e558a9c01267d26c759cbc0871bfd6b66c692dfd2161df42705e9db2d9de2ad45d66471b36a4426eaaa3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3600	1073r.exe
1904	kRCrXiAAZlan.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\U:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\N:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\L:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\G:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\F:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\E:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\X:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\R:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\M:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\K:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\I:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\S:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Y:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\V:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\T:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\O:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\J:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\H:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Z:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\P:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Q:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\ExportJoin.ogg	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\FindExit.WTV	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\derby_common.bat	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\install.ins	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\DebugGet.jpeg	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	3548	svchost.exe
Token: SeTcbPrivilege	3548	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3600	3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	80
PID 3892 wrote to memory of 3600	3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	80
PID 3892 wrote to memory of 3600	3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	80
PID 3892 wrote to memory of 1904	3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	81
PID 3892 wrote to memory of 1904	3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	81
PID 3892 wrote to memory of 1904	3892	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	81

C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
"C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Users\Admin\AppData\Local\Temp\kRCrXiAAZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\kRCrXiAAZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:68
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3520
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:3844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "coremessagingregistrar" /y
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "coremessagingregistrar" /y
    3⤵
    PID:2004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-125-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3600-123-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3892-115-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/3892-114-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download