ryuk | ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-03-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
Size

118KB
MD5

a31089dc3cafe77c39268273d689193b
SHA1

032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512

d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'N2QvTsXamJ'; $torlink = 'http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

XJgJijnKVrep.exeypXbiYOlylan.exeuIvPQsuPalan.exe

pid process

576 XJgJijnKVrep.exe
316 ypXbiYOlylan.exe
1004 uIvPQsuPalan.exe

pid	process
576	XJgJijnKVrep.exe
316	ypXbiYOlylan.exe
1004	uIvPQsuPalan.exe

Loads dropped DLL 6 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

pid	process
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

22084 icacls.exe
22092 icacls.exe

pid	process
22084	icacls.exe
22092	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Noronha	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\RemoveSkip.ogg	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

pid	process
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	XJgJijnKVrep.exe
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	XJgJijnKVrep.exe
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	XJgJijnKVrep.exe
PID 1908 wrote to memory of 576	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	XJgJijnKVrep.exe
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	ypXbiYOlylan.exe
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	ypXbiYOlylan.exe
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	ypXbiYOlylan.exe
PID 1908 wrote to memory of 316	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	ypXbiYOlylan.exe
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	uIvPQsuPalan.exe
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	uIvPQsuPalan.exe
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	uIvPQsuPalan.exe
PID 1908 wrote to memory of 1004	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	uIvPQsuPalan.exe
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22084	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 22092	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	icacls.exe
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46896	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46888	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46948	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 1908 wrote to memory of 46956	1908	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	net.exe
PID 46948 wrote to memory of 51100	46948	net.exe	net1.exe
PID 46948 wrote to memory of 51100	46948	net.exe	net1.exe
PID 46948 wrote to memory of 51100	46948	net.exe	net1.exe
PID 46948 wrote to memory of 51100	46948	net.exe	net1.exe
PID 46896 wrote to memory of 51092	46896	net.exe	net1.exe
PID 46896 wrote to memory of 51092	46896	net.exe	net1.exe
PID 46896 wrote to memory of 51092	46896	net.exe	net1.exe
PID 46896 wrote to memory of 51092	46896	net.exe	net1.exe
PID 46956 wrote to memory of 51108	46956	net.exe	net1.exe
PID 46956 wrote to memory of 51108	46956	net.exe	net1.exe
PID 46956 wrote to memory of 51108	46956	net.exe	net1.exe
PID 46956 wrote to memory of 51108	46956	net.exe	net1.exe
PID 46888 wrote to memory of 51136	46888	net.exe	net1.exe
PID 46888 wrote to memory of 51136	46888	net.exe	net1.exe
PID 46888 wrote to memory of 51136	46888	net.exe	net1.exe
PID 46888 wrote to memory of 51136	46888	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
"C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe
"C:\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe
"C:\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe
"C:\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:22084

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:22092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:46896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:51092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:46888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:51136

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:46948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:51100

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:46956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:51108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
6ac3c8db9c9918dbb08f16e88e6faf8d

SHA1
df0cf2eeb6ec8f45823ab383388117a0f0538bf7

SHA256
e10c7fd8065ecc8a8f3d5dbfdf56526e0a32cf94c0f45a4fbf0acb1d456cf29a

SHA512
dea677534de9a6bec5b4cb71d3b78269a790b8ac95377c486916bb4f881c7c6541c5a90637f92dc579f581249b4939deabf2f743cba84365087625b176c0124c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
MD5
f2140dc25072c50e78486bb050e37a6c

SHA1
6af5561ed77b826b3382e1ffcf4f644537d5b891

SHA256
a81a85388fcbd3015c8dcaa4cddee114da941b709ac9360d95431fdf38184dbd

SHA512
648fcf8635f29c21eca8d9e43a3b522f80960dd89948de4a8f0e5f143dd2d7ea782fd79dd9183fb9a4141dc21944f1123c04d45640b4e39f79d87c8dd4e4bbb7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
MD5
6988461fa720c3cff8f416630d7cb64d

SHA1
a2528e539ef61daecd3ec9c1c92a9cd705169d22

SHA256
e04169a851e6dd1be883f273cd65a92398feb1c1148a0681a5056691748bcfe2

SHA512
eab81060ba3403265b9234e22a921bd17f4d92c5aff47dafb82676dce1fdf087aac2211271851e0e643295f19ee8ef69010591d8fdfd0d62658c9ba9f9076cce

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
0028c241d5eed51a76c70ee3a5b03a74

SHA1
353880c158f49f823ea6eb5ba47bdd3c4fd33cbb

SHA256
f091dd30f9de0f6aae11e274ad803ab9351415d94176b3aa40448869773871c5

SHA512
4b1f2a244f3d115e034c7d209ef09b31264dcab0e90b8724aa873031582f32552546b5c336e911c1603fcf26f1fd4a8dd9bd48fe67919aa07d9df5a535d8762d

Download Submit
C:\MSOCache\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\users\Public\RyukReadMe.html
MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\XJgJijnKVrep.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\uIvPQsuPalan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\ypXbiYOlylan.exe
MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
memory/1908-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download