ryuk | 2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877

General

Target

tmp.exe
Size

5.6MB
MD5

8553fce61d3e5901ac350a295ea9ab43
SHA1

a0a153fe479ced746588ad6d8507feae48a8faf7
SHA256

2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877
SHA512

e945653a21e6b8c9c47061634c5f99e93ad9fa0d532a2091af01e345f82ebf3bde6932b56bb453fac6e7489a4e94d0480fe1687270ca6a8aa51e945615c37ad8

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\pss.txt

Family

ryuk

Ransom Note

!!!admin !!!admin!!! !!!Admin!!! !!!ADMIN!!! !!!administrator !!!h!!! !!!it!!! !!!pass !!!password !!!PASSWORD!!! !!@@##qqwwee !!xxx!! !@#$%^&*!. !@#$%^&*!@ !@#$%^&*.! !@#$%^&*.@ !@#$%^&*@! !@#$%^&*@. !@#$%^&*11 !@#$%^&*12 !@#$%^&*1234 !@#$%^&*12345 !@#$%^&*2005 !@#$%^&*2006 !@#$%^&*22 !@#$%^&*44 !@#$%^&*55 !@#$%^&*88 !@#$%^&*99 !@#$%2010 !@#$%54321 !@#$1234!@#$1234 !@#.abc !@#123-pass !@#321qwe !@#ABC!@# !@#Asdzxc !@#germany !@#Paris !@#qwe$%^rty !@#Qweasd !@#RTY&*( !@#rty^%$ !@#RTY^%$ !@#rty789 !@#Serveradmin !@#Servidor !@123456 !@dmin !@dmin123 !1@dmin !123@dmin !1234dmin !123abc !123Abc !123ABC !123adm1n !123Adm1n !123aDmin !123Admin !123asdf !123Asdf !123dell !123p@ssw0rd !123P@ssw0rd !123p@ssword !123P@ssword !123p4ssw0rd !123P4ssw0rd !123p4ssword !123P4ssword !123pa$$w0rd !123Pa$$w0rd !123pa$$word !123Pa$$word !123pa55word !123Pa55word !123pass@word !123Pass@word !123passw0rd !123passw0rD !123Passw0rd !123Passw0rD !123password !123passworD !123Password !123PassworD !123qaz !123Qaz !123Qaz@wsx !123qaz2wsx !123qazwsx !123Qazwsx !123Qwe !123qwer !123Qwer !123us$er !123user !123User !123Wsx !123Zxc !123Zxcv !14dmin !1abc !1Abc !1ABC !1adm1n !1Adm1n !1admin !1aDmin !1Admin !1asdf !1Asdf !1p@ssw0rd !1P@ssw0rd !1p@ssword !1P@ssword !1p4ssw0rd !1P4ssw0rd !1p4ssword !1P4ssword !1pa$$w0rd !1Pa$$w0rd !1pa$$word !1Pa$$word !1pa55word !1Pa55word !1pass@word !1Pass@word !1passw0rd !1passw0rD !1Passw0rd !1Passw0rD !1password !1passworD !1Password !1PassworD !1Qaz@wsx !1qazwsx !1Qazwsx !1qwe !1Qwe !1qwer !1Qwer !1us$er !1user !1User !1Wsx !1Zxc !1Zxcv !2345678 !23America !4dmin !4dmin123 !A2s#D4f !A3d@S4f !aA1 !Aa1 !aA12 !Aa12 !aA123 !aA1234 !Aa1234 !aA12345 !Aa12345 !aA123456 !aA1234567 !Aa1234567 !Aa12345678 !aA123456789 !Aa123456789 !aA12354678 !abc !Abc !ABC !Access123 !Access12345 !Access123456 !adm!n123 !adm1n !Adm1n !adm1n123 !aDmin !admin@pass !administrator !asdf !Asdf !az@sx !Change123 !Change12345 !Change123456 !Changeme123 !Changeme12345 !Changeme123456 !Hello123 !Hello12345 !Hello123456 !Master123 !Master12345 !Master123456 !n@123@123 !nd!@123 !nd!@1234 !nd!@12345 !nd!a@123 !nd!a@1234 !nd!a@12345 !nd!a123 !nd1@123 !nd1@1234 !nd1@12345 !nd1a@123 !nd1a@1234 !nd1a@12345 !nd1a123 !ndi@123 !ndi@1234 !ndi@12345 !ndia@123 !ndia@1234 !ndia@12345 !ndia123 !NTERNET !ovh !p@$$ !P@$$ !p@ss !P@ss !p@ssword !P30 !p4ssw0rd !P4ssw0rd !p4ssword !P4ssword !pa$$word !pa55word !Pa55word !Pass !pass@word !Pass@word !pass123 !Pass1234 !passw0rD !Passw0rD !passworD !PassworD !Q@W#E4r !Q@W#E4r5t6y !q1 !q12 !q123 !q1234 !q12345 !q1234567 !q12345678 !q123456789 !Q2w#E4r%T6y !Q2w3e4r5t^Y !Q4r@W3e !qa@WS !QA@ws !qa@ws#ed !QA2ws !QA2WS !qasdr% !QASDR% !QASW@ !qaz!edc !qaz!rfv !QAZ@WSX_PLM)OKN !qaz_plm !QAZ_PLM !QAZ1qaz@WSX2wsx !qaz2w$x !qaz2w5x !QAZ2was !QAZ2wsx- !QAZ2wsx#ED4rfv !QAZ3edc%TGB !qazplm !QAZs !QAZx !QAZxs2w !QAZXSW@#EDCvfr4 !QAZXSW@3edcvfr4 !Qwe !qwer !Qwer !Server123 !Server12345 !Server123456 !Start123 !Start12345 !Start123456 !Temp123 !Temp12345 !Temp123456 !Test123 !Test12345 !Test123456 !W@Q1w2q !Windows123 !Windows12345 !Windows123456 !Wsx !Z@X3c4v !Z@XQAWS !Z2x#C !Z2x#C4v !Zxc "admin" "Ovh" "password" #$%admin #$ERDFCV #@dmin #1@dmin #123@dmin #1234dmin #123abc #123Abc #123ABC #123adm1n #123Adm1n #123aDmin #123asdf #123Asdf #123p@ssw0rd #123P@ssw0rd #123p@ssword #123P@ssword #123p4ssw0rd #123P4ssw0rd #123p4ssword #123P4ssword #123pa$$w0rd #123Pa$$w0rd #123pa$$word #123Pa$$word #123pa55word #123Pa55word #123pass@word #123Pass@word #123passw0rd #123passw0rD #123Passw0rd #123Passw0rD #123password #123passworD #123Password #123PassworD #123qaz #123Qaz #123Qaz@wsx #123qaz2wsx #123qazwsx #123Qazwsx #123qwe #123Qwe #123qwer #123Qwer #123us$er #123user #123User #123Wsx #123Zxc #123Zxcv #14dmin #1abc #1Abc #1ABC #1adm1n #1Adm1n #1aDmin #1Admin #1asdf #1Asdf #1p@ssw0rd #1P@ssw0rd #1p@ssword #1P@ssword #1p4ssw0rd #1P4ssw0rd #1p4ssword #1P4ssword #1pa$$w0rd #1Pa$$w0rd #1pa$$word #1Pa$$word #1pa55word #1Pa55word #1pass@word #1Pass@word #1passw0rd #1passw0rD #1Passw0rd #1Passw0rD #1password #1passworD #1Password #1PassworD #1qaz #1Qaz #1Qaz@wsx #1qaz2wsx #1qazwsx #1Qazwsx #1qwe #1Qwe #1qwer #1Qwer #1us$er #1user #1User #1Wsx #1Zxc #1Zxcv #3admin #3Admin #4dmin #abc #Abc #ABC #Access123 #Access12345 #Access123456 #adm1n #Adm1n #admin #aDmin #Admin #Admin123 #admin12345 #Admin12345 #admin123456 #Admin123456 #admin2 #Admin2 #ame #asdf #Asdf #Change123 #Change12345 #Change123456 #Changeme123 #Changeme12345 #Changeme123456 #d1a@S #edc #edfgy& #EDFGY& #five #Hello123 #Hello12345 #Hello123456 #Master123 #Master12345 #Master123456 #one #p@ssw0rd #P@ssw0rd #p@ssword #P@ssword #p4ssw0rd #P4ssw0rd #p4ssword #P4ssword #pa$$w0rd #Pa$$w0rd #pa$$word #Pa$$word #pa55word #Pa55word #pass@word #Pass@word #passw0rd #passw0rD #Passw0rD #passworD #Password #PassworD #qaz #Qaz #Qaz@wsx #qaz2wsx #qazwsx #Qazwsx #qwe #Qwe #qwer #Qwer #Server123 #Server12345 #Server123456 #Start123 #Start12345 #Start123456 #Temp123 #Temp12345 #Temp123456 #Test123 #Test12345 #Test123456 #three #two #u$er#123 #u5er#123 #us$er #us3r#123 #user #User #W@E3w2e #W2e#W2e #WE@3we2 #Windows123 #Windows12345 #Windows123456 #Wsx #Zxc #Zxcv $#@!qwer $#@!qwerfdsa $#REFDVC $%^admin $%^RTY $%gfRTbv $%RTFGVB $@dmin $@msung $1@dmin $123@dmin $1234dmin $123abc $123Abc $123ABC $123adm1n $123Adm1n $123aDmin $123Admin $123asdf $123Asdf $123p@ssw0rd $123P@ssw0rd $123p@ssword $123P@ssword $123p4ssw0rd $123P4ssw0rd $123p4ssword $123P4ssword $123pa$$w0rd $123Pa$$w0rd $123pa$$word $123Pa$$word $123pa55word $123Pa55word $123pass@word $123Pass@word $123passw0rd $123passw0rD $123Passw0rd $123Passw0rD $123password $123passworD $123Password $123PassworD $123qaz $123Qaz $123Qaz@wsx $123qaz2wsx $123qazwsx $123Qazwsx $123qwe $123Qwe $123qwer $123Qwer $123us$er $123user $123User $123Wsx $123Zxc $123Zxcv $14dmin $1abc $1Abc $1ABC $1adm1n $1Adm1n $1aDmin $1Admin $1asdf $1Asdf $1p@ssw0rd $1P@ssw0rd $1p@ssword $1P@ssword $1p4ssw0rd $1P4ssw0rd $1p4ssword $1P4ssword $1pa$$w0rd $1Pa$$w0rd $1pa$$word $1Pa$$word $1pa55word $1Pa55word $1pass@word $1Pass@word $1passw0rd $1passw0rD $1Passw0rd $1Passw0rD $1password $1passworD $1Password $1PassworD $1qaz $1Qaz $1Qaz@wsx $1qaz2wsx $1qazwsx $1Qazwsx $1qwe $1Qwe $1qwer $1Qwer $1us$er $1user $1User $1Wsx $1Zxc $1Zxcv $3r73r@qw3 $3r73r@qwe $4dmin $abc $Abc $ABC $Access123 $Access12345 $Access123456 $adm1n $aDmin $Admin1 $admin12 $admin123 $Admin123 $admin12345 $Admin12345 $admin123456 $Admin123456 $amsung $asdf $Asdf $Change123 $Change12345 $Change123456 $Changeme123 $Changeme12345 $Changeme123456 $E#R2qw1 $en@t0r $en@t0r@1 $en@t0r@2016 $er73r@qw3 $er73r@qwe $erver! $erver!@# $erver!@#123 $erver!1 $erver!123456 $erver!1234567 $erver!12345678 $erver!123456789 $erver!1980 $erver!1981 $erver!1982 $erver!1983 $erver!1984 $erver!1985 $erver!1986 $erver!1987 $erver!1988 $erver!1989 $erver!1990 $erver!1991 $erver!1992 $erver!1993 $erver!1994 $erver!1995 $erver!1996 $erver!1997 $erver!1998 $erver!1999 $erver!2000 $erver!2001 $erver!2002 $erver!2004 $erver!2005 $erver!2006 $erver!2007 $erver!2009 $erver!2010 $erver!2011 $erver!2012 $erver!2013 $erver!2016 $erver!2017 $erver!2018 $erver!2019 $erver!2020 $erver# $erver#@! $erver#@!123 $erver#1 $erver#123456 $erver#1234567 $erver#12345678 $erver#123456789 $erver#1980 $erver#1981 $erver#1982 $erver#1983 $erver#1985 $erver#1986 $erver#1987 $erver#1988 $erver#1989 $erver#1990 $erver#1991 $erver#1992 $erver#1993 $erver#1994 $erver#1995 $erver#1996 $erver#1997 $erver#1998 $erver#1999 $erver#2000 $erver#2001 $erver#2002 $erver#2004 $erver#2005 $erver#2006 $erver#2007 $erver#2009 $erver#2010 $erver#2011 $erver#2012 $erver#2013 $erver#2016 $erver#2017 $erver#2018 $erver#2019 $erver#2020 $erver$ $erver$1 $erver$123456 $erver$1234567 $erver$12345678 $erver$123456789 $erver$1980 $erver$1981 $erver$1982 $erver$1983 $erver$1984 $erver$1985 $erver$1986 $erver$1987 $erver$1988 $erver$1989 $erver$1990 $erver$1991 $erver$1992 $erver$1993 $erver$1994 $erver$1995 $erver$1996 $erver$1997 $erver$1998 $erver$1999 $erver$2000 $erver$2001 $erver$2002 $erver$2004 $erver$2005 $erver$2006 $erver$2007 $erver$2009 $erver$2010 $erver$2011 $erver$2012 $erver$2013 $erver$2016 $erver$2017 $erver$2018 $erver$2019 $erver$2020 $erver.123 $erver.1234 $erver.12345 $erver.123456 $erver.1234567 $erver.12345678 $erver.123456789 $erver.1980 $erver.1981 $erver.1982 $erver.1983 $erver.1984 $erver.1985 $erver.1986 $erver.1987 $erver.1988 $erver.1989 $erver.1990 $erver.1991 $erver.1992 $erver.1993 $erver.1994 $erver.1995 $erver.1996 $erver.1997 $erver.1998 $erver.1999 $erver.2000 $erver.2001 $erver.2002 $erver.2003 $erver.2004 $erver.2005 $erver.2006 $erver.2007 $erver.2008 $erver.2009 $erver.2010 $erver.2011 $erver.2012 $erver.2013 $erver.2014 $erver.2015 $erver.2016 $erver.2017 $erver.2018 $erver.2019 $erver.2020 $erver@ $erver@1 $erver@111 $erver@111# $erver@123# $erver@123456 $erver@1234567 $erver@12345678 $erver@123456789 $erver@1980 $erver@1981 $erver@1982 $erver@1983 $erver@1984 $erver@1985 $erver@1986 $erver@1987 $erver@1988 $erver@1989 $erver@1990 $erver@1991 $erver@1992 $erver@1993 $erver@1994 $erver@1995 $erver@1996 $erver@1997 $erver@1998 $erver@1999 $erver@2000 $erver@2001 $erver@2002 $erver@2004 $erver@2005 $erver@2006 $erver@2007 $erver@2009 $erver@2010 $erver@2011 $erver@2012 $erver@2013 $erver@2016 $erver@2017 $erver@2018 $erver@2019 $erver@2020 $erver@222 $erver@222# $erver@333 $erver@333# $erver_123 $erver_1234 $erver_12345 $erver1! $erver1# $erver1$ $erver1@ $erver-123 $erver123! $erver123!# $erver123# $erver123$ $erver123. $erver123@ $erver-1234 $erver1234! $erver1234# $erver1234@ $erver-12345 $erver12345! $erver12345# $erver12345@ $erver123456 $erver123456! $erver123456# $erver123456@ $erver1234567 $erver1234567! $erver1234567# $erver1234567@ $erver12345678 $erver12345678! $erver12345678# $erver12345678@ $erver123456789 $erver123456789! $erver123456789# $erver123456789@ $erver1980! $erver1980# $erver1980@ $erver1981! $erver1981# $erver1981@ $erver1982! $erver1982# $erver1982@ $erver1983! $erver1983# $erver1983@ $erver1984! $erver1984# $erver1984@ $erver1985! $erver1985# $erver1985@ $erver1986! $erver1986# $erver1986@ $erver1987! $erver1987# $erver1987@ $erver1988! $erver1988# $erver1988@ $erver1989! $erver1989# $erver1989@ $erver1990! $erver1990# $erver1990@ $erver1991! $erver1991# $erver1991@ $erver1992! $erver1992# $erver1992@ $erver1993! $erver1993# $erver1993@ $erver1994! $erver1994# $erver1994@ $erver1995! $erver1995# $erver1995@ $erver1996! $erver1996# $erver1996@ $erver1997! $erver1997# $erver1997@ $erver1998! $erver1998# $erver1998@ $erver1999! $erver1999# $erver1999@ $erver2000! $erver2000# $erver2000@ $erver2001! $erver2001# $erver2001@ $erver2002! $erver2002# $erver2002@ $erver2003! $erver2003# $erver2003@ $erver2004! $erver2004# $erver2004@ $erver2005! $erver2005# $erver2005@ $erver2006! $erver2006# $erver2006@ $erver2007! $erver2007# $erver2007@ $erver2008! $erver2008# $erver2008@ $erver2009! $erver2009# $erver2009@ $erver2010! $erver2010# $erver2010@ $erver2011! $erver2011# $erver2011@ $erver2012! $erver2012# $erver2012@ $erver2013! $erver2013# $erver2013@ $erver2014! $erver2014# $erver2014@ $erver2015! $erver2015# $erver2015@ $erver2016! $erver2016# $erver2016@ $erver2017! $erver2017# $erver2017@ $erver2018! $erver2018# $erver2018@ $erver2019! $erver2019# $erver2019@ $erver2020! $erver2020# $erver2020@ $erverovh $esz%rdx $ESZ%RDX $ESZ%RDX^TFC $ESZ%RDX^TFC&YGV $ESZ%RDX6tfc7ygv $esz5rdx $ESZ5rdx^TFC7ygv $eszxdr%^tfc $ESZXDR%^TFCVGY& $ESZxdr5^TFC $ESZxdr5^TFCvgy7 $ESZxdr5cft6 $Hello123 $Hello12345 $Hello123456 $Master123 $Master12345 $Master123456 $nigol$ $nn$ $ovh $p@ssw0rd $P@ssw0rd $p@ssword $P@ssword $p4ssw0rd $P4ssw0rd $p4ssword $P4ssword $pa$$w0rd $Pa$$w0rd $pa$$word $Pa$$word $pa55word $Pa55word $pass@word $Pass@word $passw0rd $passw0rD $Passw0rd $Passw0rD $passworD $Password $PassworD $Password1 $Qaz $Qaz@wsx $qaz2wsx $qazwsx $Qazwsx $Qwe $qwer $Qwer $RDCVFE# $rfv $RGB%TFV $Server123 $Server12345 $Server123456 $Start123 $Start12345 $Start123456 $Temp123 $Temp12345 $Temp123456 $Test123 $Test12345 $Test123456 $uperm@n $uperman $upp0rt!!!111 $upp0rt!!!123 $upp0rt!@#123 $upp0rt!0 $upp0rt!01 $upp0rt!1 $upp0rt!123 $upp0rt!12345 $upp0rt!123456 $upp0rt!2000 $upp0rt!2003 $upp0rt!2008 $upp0rt!2012 $upp0rt!2016 $upp0rt!2017 $upp0rt!321 $upp0rt# $upp0rt###123 $upp0rt###333 $upp0rt#123 $upp0rt#12345 $upp0rt#123456 $upp0rt#2000 $upp0rt#2003 $upp0rt#2008 $upp0rt#2012 $upp0rt#2016 $upp0rt#2017 $upp0rt#321 $upp0rt$$$444 $upp0rt$123 $upp0rt$12345 $upp0rt$123456 $upp0rt$2000 $upp0rt$2003 $upp0rt$2008 $upp0rt$2012 $upp0rt$2016 $upp0rt$2017 $upp0rt$321 $upp0rt* $upp0rt***123 $upp0rt***888 $upp0rt*123 $upp0rt*12345 $upp0rt*123456 $upp0rt*2000 $upp0rt*2003 $upp0rt*2008 $upp0rt*2012 $upp0rt*2016 $upp0rt*2017 $upp0rt*321 $upp0rt. $upp0rt.123 $upp0rt.12345 $upp0rt.123456 $upp0rt.2000 $upp0rt.2003 $upp0rt.2008 $upp0rt.2012 $upp0rt.2016 $upp0rt.2017 $upp0rt.321 $upp0rt@ $upp0rt@@@123 $upp0rt@@@222 $upp0rt@123 $upp0rt@12345 $upp0rt@123456 $upp0rt@2000 $upp0rt@2003 $upp0rt@2008 $upp0rt@2012 $upp0rt@2016 $upp0rt@2017 $upp0rt@321 $upp0rt_0011 $upp0rt_123 $upp0rt_12345 $upp0rt_123456 $upp0rt_2000 $upp0rt_2003 $upp0rt_2008 $upp0rt_2012 $upp0rt_2016 $upp0rt_2017 $upp0rt_321 $upp0rt0! $upp0rt01! $upp0rt1! $upp0rt123! $upp0rt123!@# $upp0rt123# $upp0rt123$ $upp0rt123$%^ $upp0rt123* $upp0rt123. $upp0rt123.. $upp0rt123@ $upp0rt123_ $upp0rt123123 $upp0rt12345! $upp0rt12345# $upp0rt12345$ $upp0rt12345* $upp0rt12345. $upp0rt12345@ $upp0rt12345_ $upp0rt123456! $upp0rt123456# $upp0rt123456$ $upp0rt123456* $upp0rt123456. $upp0rt123456@ $upp0rt123456_ $upp0rt159753 $upp0rt2000 $upp0rt2000! $upp0rt2000# $upp0rt2000* $upp0rt2000@ $upp0rt2003 $upp0rt2003! $upp0rt2003# $upp0rt2003* $upp0rt2003@ $upp0rt2008 $upp0rt2008! $upp0rt2008# $upp0rt2008* $upp0rt2008@ $upp0rt2012 $upp0rt2012! $upp0rt2012# $upp0rt2012* $upp0rt2012@ $upp0rt2016 $upp0rt2016! $upp0rt2016# $upp0rt2016* $upp0rt2016@ $upp0rt2017! $upp0rt2017# $upp0rt2017$ $upp0rt2017* $upp0rt2017. $upp0rt2017@ $upp0rt2017_ $upp0rt321 $upp0rt654321 $upp0rt98 $upport! $upport!!!111 $upport!!!123 $upport!@#123 $upport!0 $upport!01 $upport!1 $upport!123 $upport!12345 $upport!123456 $upport!2000 $upport!2003 $upport!2008 $upport!2012 $upport!2016 $upport!2017 $upport!321 $upport# $upport###123 $upport###333 $upport#1 $upport#123 $upport#12345 $upport#123456 $upport#2000 $upport#2003 $upport#2008 $upport#2012 $upport#2016 $upport#2017 $upport#321 $upport$ $upport$$$444 $upport$123 $upport$12345 $upport$123456 $upport$2000 $upport$2003 $upport$2008 $upport$2012 $upport$2016 $upport$2017 $upport$321 $upport* $upport***123 $upport***888 $upport*123 $upport*12345 $upport*123456 $upport*2000 $upport*2003 $upport*2008 $upport*2012 $upport*2016 $upport*2017 $upport*321 $upport. $upport.123 $upport.12345 $upport.123456 $upport.2000 $upport.2003 $upport.2008 $upport.2012 $upport.2016 $upport.2017 $upport.321 $upport@ $upport@@@123 $upport@@@222 $upport@1 $upport@123 $upport@12345 $uppor

Emails

[email protected]@123

#DonOlivier,[email protected]

[email protected]

[email protected]!@#

URLs

http

http!23

http1

http12

http123

http1234

httpd

httpd!@#$

httpd112233

httpd123

httpd1234

httpdroot

httpds

https

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
3588	ctfmon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
3588	ctfmon.exe
3588	ctfmon.exe
3588	ctfmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3588	4784	tmp.exe	82
PID 4784 wrote to memory of 3588	4784	tmp.exe	82
PID 4784 wrote to memory of 3588	4784	tmp.exe	82

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
  "C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3588-136-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3588-137-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/3588-138-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing