ryuk | 1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea

General

Target

1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
Size

54KB
MD5

c81424677bcfcf9eeafa3504d87e5c63
SHA1

9393744eaf2cd526e3007a0363d2291faba236b2
SHA256

1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea
SHA512

4ac18a81065b70e44052705753e7d5bf5585e05db8618d2758434e7e126dda8b39c010d0521d237c440fe3da766f107992517a542ac9b8b11ac1f98f7958a6fc

Score

10^/10

ryuk ransomware suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\BackFiles_encoded01.txt

Family

ryuk

Ransom Note

[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: BslOjiEIZkRVoqiHQesLw22nJLk6PiQjNZ%2FryyiNELJPmXO%2FFDxIcmSMn7Zv2jjlY7F2%2BA5lBi49l4n8Zd868DuENNlzPxUMNszZ%2FTbaM4lC5VbeF2IEfDHwxuEwhXPdSvN9rlk%2BUmR94N3uLY8x%2BjbzKaRYegdhf87A4S2MfaQo%2BmjoSGxbKRn12OA1kS7xRqJj%2Bj1JI3Ja4f7nRIt2pkCZLPZtUC49Fs7K3ijaTfFcu2zeM0gQe0Hem%2FV05SnhYaAC70pvDD4Y8%2BzxI49goFSBT7hOTVpFQd3JxSjYYecwuhzMFi1UAjPh4%2B0unzmpRopUtD94G1x95uPtQ9UJ0FGAG7dLfC0rIsbjvw6Ic7p%2Bk0vdTGYSfGv0lsRx%2BRGiTr4M1nREUHQNxZvKL49gikq6K8IsKVBVQJDJxUTPMflson%2B%2BFGwFAj7Yxe0nvGO0Mbt%2B9xxjMiZoxOPcU4UdwkqkG%2BxpciQlZuDKzwOfffRusS31N2QOd2DPnbd9z2HGaLE4%2B1ZeFwY85MXlMIFkm16UU9k1T1J6fOnG7ibZN9JDnjzkE1IqJwTWn7YVpDqWfppR%2FSZGVGl15f7cRugg%2BWrsfMxnTywXApeNtQfaRpFplWz9FV8XXErQ7Loi%2FwSxNI8AxRlkCCtjh5rBKo1xtUr7fMU8aTVLZcXAyiX%2FJuQ0kSLcBDokLB%2Fz8eIT3W2ANJRg2TFtUls1w9X8dtgFo3Cqe9xRaV8NE5PdtjiAbYJlh0POF0BHIUrG1aoi%2FyegZZE23WhaCz1j18nhZNlJtTWOK6hMSihda%2FTO40nMYOwz%2Bhj9SU80IxH2wrRw03uCZpkgwVs%2BJEJ99Oj%2FJvgW5jf%2FIdxgRQQQN%2BjF1wqqWIZWmyr4HE4seH6Cnclo5xHgbrAl42dKDSs%2ByJDvCINjl2KnLPcERQRkVNfE42LfBd9DmwTaV1AXdR7X%2F80wjjzxV6JK6ipjIyZOk5ztRYsW4U2eHeFzPwd8L83b1gOAT69Rp3%2FZCEcoWWnrmr0l%2ByDNYOx8yFVHVitj683xMbpeu12MSOlKWQ4rSp6f%2F3yOIdBs7HzMBDogIzGX3%2Fd33kqtYrRyuk9YKCNkyvrZNY8V922OO%2FlGYjI0Eun5sA6JTIBchHG%2BOVQYfUiQ6Ldl5WShd6UDzXdnJDA305%2FQD6lar3aHadRLPDFdX8Dtt0PPJ6NTpny6alEkYWfgz%2B0XgEyaV4Y8vjo%3D Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=BslOjiEIZkRVoqiHQesLw22nJLk6PiQjNZ%2FryyiNELJPmXO%2FFDxIcmSMn7Zv2jjlY7F2%2BA5lBi49l4n8Zd868DuENNlzPxUMNszZ%2FTbaM4lC5VbeF2IEfDHwxuEwhXPdSvN9rlk%2BUmR94N3uLY8x%2BjbzKaRYegdhf87A4S2MfaQo%2BmjoSGxbKRn12OA1kS7xRqJj%2Bj1JI3Ja4f7nRIt2pkCZLPZtUC49Fs7K3ijaTfFcu2zeM0gQe0Hem%2FV05SnhYaAC70pvDD4Y8%2BzxI49goFSBT7hOTVpFQd3JxSjYYecwuhzMFi1UAjPh4%2B0unzmpRopUtD94G1x95uPtQ9UJ0FGAG7dLfC0rIsbjvw6Ic7p%2Bk0vdTGYSfGv0lsRx%2BRGiTr4M1nREUHQNxZvKL49gikq6K8IsKVBVQJDJxUTPMflson%2B%2BFGwFAj7Yxe0nvGO0Mbt%2B9xxjMiZoxOPcU4UdwkqkG%2BxpciQlZuDKzwOfffRusS31N2QOd2DPnbd9z2HGaLE4%2B1ZeFwY85MXlMIFkm16UU9k1T1J6fOnG7ibZN9JDnjzkE1IqJwTWn7YVpDqWfppR%2FSZGVGl15f7cRugg%2BWrsfMxnTywXApeNtQfaRpFplWz9FV8XXErQ7Loi%2FwSxNI8AxRlkCCtjh5rBKo1xtUr7fMU8aTVLZcXAyiX%2FJuQ0kSLcBDokLB%2Fz8eIT3W2ANJRg2TFtUls1w9X8dtgFo3Cqe9xRaV8NE5PdtjiAbYJlh0POF0BHIUrG1aoi%2FyegZZE23WhaCz1j18nhZNlJtTWOK6hMSihda%2FTO40nMYOwz%2Bhj9SU80IxH2wrRw03uCZpkgwVs%2BJEJ99Oj%2FJvgW5jf%2FIdxgRQQQN%2BjF1wqqWIZWmyr4HE4seH6Cnclo5xHgbrAl42dKDSs%2ByJDvCINjl2KnLPcERQRkVNfE42LfBd9DmwTaV1AXdR7X%2F80wjjzxV6JK6ipjIyZOk5ztRYsW4U2eHeFzPwd8L83b1gOAT69Rp3%2FZCEcoWWnrmr0l%2ByDNYOx8yFVHVitj683xMbpeu12MSOlKWQ4rSp6f%2F3yOIdBs7HzMBDogIzGX3%2Fd33kqtYrRyuk9YKCNkyvrZNY8V922OO%2FlGYjI0Eun5sA6JTIBchHG%2BOVQYfUiQ6Ldl5WShd6UDzXdnJDA305%2FQD6lar3aHadRLPDFdX8Dtt0PPJ6NTpny6alEkYWfgz%2B0XgEyaV4Y8vjo%3D

URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=BslOjiEIZkRVoqiHQesLw22nJLk6PiQjNZ%2FryyiNELJPmXO%2FFDxIcmSMn7Zv2jjlY7F2%2BA5lBi49l4n8Zd868DuENNlzPxUMNszZ%2FTbaM4lC5VbeF2IEfDHwxuEwhXPdSvN9rlk%2BUmR94N3uLY8x%2BjbzKaRYegdhf87A4S2MfaQo%2BmjoSGxbKRn12OA1kS7xRqJj%2Bj1JI3Ja4f7nRIt2pkCZLPZtUC49Fs7K3ijaTfFcu2zeM0gQe0Hem%2FV05SnhYaAC70pvDD4Y8%2BzxI49goFSBT7hOTVpFQd3JxSjYYecwuhzMFi1UAjPh4%2B0unzmpRopUtD94G1x95uPtQ9UJ0FGAG7dLfC0rIsbjvw6Ic7p%2Bk0vdTGYSfGv0lsRx%2BRGiTr4M1nREUHQNxZvKL49gikq6K8IsKVBVQJDJxUTPMflson%2B%2BFGwFAj7Yxe0nvGO0Mbt%2B9xxjMiZoxOPcU4UdwkqkG%2BxpciQlZuDKzwOfffRusS31N2QOd2DPnbd9z2HGaLE4%2B1ZeFwY85MXlMIFkm16UU9k1T1J6fOnG7ibZN9JDnjzkE1IqJwTWn7YVpDqWfppR%2FSZGVGl15f7cRugg%2BWrsfMxnTywXApeNtQfaRpFplWz9FV8XXErQ7Loi%2FwSxNI8AxRlkCCtjh5rBKo1xtUr7fMU8aTVLZcXAyiX%2FJuQ0kSLcBDokLB%2Fz8eIT3W2ANJRg2TFtUls1w9X8dtgFo3Cqe9xRaV8NE5PdtjiAbYJlh0POF0BHIUrG1aoi%2FyegZZE23WhaCz1j18nhZNlJtTWOK6hMSihda%2FTO40nMYOwz%2Bhj9SU80IxH2wrRw03uCZpkgwVs%2BJEJ99Oj%2FJvgW5jf%2FIdxgRQQQN%2BjF1wqqWIZWmyr4HE4seH6Cnclo5xHgbrAl42dKDSs%2ByJDvCINjl2KnLPcERQRkVNfE42LfBd9DmwTaV1AXdR7X%2F80wjjzxV6JK6ipjIyZOk5ztRYsW4U2eHeFzPwd8L83b1gOAT69Rp3%2FZCEcoWWnrmr0l%2ByDNYOx8yFVHVitj683xMbpeu12MSOlKWQ4rSp6f%2F3yOIdBs7HzMBDogIzGX3%2Fd33kqtYrRyuk9YKCNkyvrZNY8V922OO%2FlGYjI0Eun5sA6JTIBchHG%2BOVQYfUiQ6Ldl5WShd6UDzXdnJDA305%2FQD6lar3aHadRLPDFdX8Dtt0PPJ6NTpny6alEkYWfgz%2B0XgEyaV4Y8vjo%3D

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE WIN32/KOVTER.B Checkin
suricata: ET MALWARE WIN32/KOVTER.B Checkin
suricata

Drops desktop.ini file(s) 1 IoCs

Processes:

1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe

description	ioc	process
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 whatismyipaddress.com
44 whatismyipaddress.com

flow	ioc
42	whatismyipaddress.com
44	whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe

description	ioc	process
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\c2r64.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\mn.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\tr.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\ug.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-conio-l1-1-0.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\gu.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\sr-spl.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-runtime-l1-1-0.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.ms-my.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\be.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\fa.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\io.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\ru.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-utility-l1-1-0.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.th-th.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\7z.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\an.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-filesystem-l1-1-0.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-environment-l1-1-0.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\clientcapabilities.json	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\7-zip32.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\et.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\appvclientisv.man	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.sv-se.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\tt.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\tt.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\uz.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.kk-kz.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\fy.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\fy.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\kaa.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\mng.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\uninstall.exe	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-conio-l1-1-0.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\appvisvapi.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\cpprestsdk.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\7-zip32.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\7z.exe.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\mr.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\ne.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\inspectorofficegadget.exe.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\nl.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystemcontroller.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.tr-tr.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\7zfm.exe.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\eu.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\hi.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\ku.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-locale-l1-1-0.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\frequentofficeupdateschedule.xml.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\7-zip.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\hu.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\nb.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\ps.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.he-il.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.zh-cn.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\hi.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\7-zip\lang\lt.txt	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\lij.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-filesystem-l1-1-0.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.ar-sa.dll.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\clicktorun\c2rintl.pt-pt.dll	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
File created	\??\c:\program files\7-zip\lang\he.txt.encoded01	1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.240811"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4336"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006664"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899079066283929"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.773577"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.499461"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3988"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	1836	TiWorker.exe
Token: SeRestorePrivilege	1836	TiWorker.exe
Token: SeBackupPrivilege	1836	TiWorker.exe
Token: SeBackupPrivilege	1836	TiWorker.exe
Token: SeRestorePrivilege	1836	TiWorker.exe
Token: SeSecurityPrivilege	1836	TiWorker.exe
Token: SeBackupPrivilege	1836	TiWorker.exe
Token: SeRestorePrivilege	1836	TiWorker.exe
Token: SeSecurityPrivilege	1836	TiWorker.exe
Token: SeBackupPrivilege	1836	TiWorker.exe
Token: SeRestorePrivilege	1836	TiWorker.exe
Token: SeSecurityPrivilege	1836	TiWorker.exe
Token: SeBackupPrivilege	1836	TiWorker.exe
Token: SeRestorePrivilege	1836	TiWorker.exe
Token: SeSecurityPrivilege	1836	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
"C:\Users\Admin\AppData\Local\Temp\1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2852

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3148

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2852-130-0x0000000000940000-0x0000000000951000-memory.dmp

Filesize
68KB

Download
memory/2852-131-0x0000000000FC0000-0x0000000000FDF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads