ryuk | 2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357

Analysis

max time kernel
162s
max time network
49s
platform
windows7_x64
resource
win7v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Size

122KB
MD5

268c8c879f67be89dbb020bf0844d9e0
SHA1

631ae3e5bb0b791c2926829a00e99154c94621c9
SHA256

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357
SHA512

047ddf54dc13b455528ec3370e02c0ca006bd86b207a6b7dabb86390f0dcf7d194196876fdf44a6e6556a6b32210e71edb2889ff1071fb899795e6373d75fb52

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Recorded TV\Sample Media\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBUI6.CHM	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF.RYK	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18217_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241043.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.ELM	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2B.GIF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.RYK	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.RYK	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01356_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\MSB1ENES.ITS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Austin.eftx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188519.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME07.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.INF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-spi-actions.xml_hidden	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\RyukReadMe.txt	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Token: SeBackupPrivilege	1120	taskhost.exe
Token: SeBackupPrivilege	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1120	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	14
PID 1840 wrote to memory of 1172	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	13
PID 1840 wrote to memory of 1212	1840	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
- C:\Users\Admin\AppData\Local\Temp\2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-60-0x000000013F740000-0x000000013FAC1000-memory.dmp

Filesize
3.5MB

Download
memory/1212-61-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download