Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
Resource
win10v2004-en-20220112
General
-
Target
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
-
Size
118KB
-
MD5
a31089dc3cafe77c39268273d689193b
-
SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7
-
SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
-
SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
Processes:
ptASSOoSXrep.execShpJGjCYlan.exeFMwDDCvAslan.exepid process 1940 ptASSOoSXrep.exe 1856 cShpJGjCYlan.exe 1536 FMwDDCvAslan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid process 22524 icacls.exe 22516 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle.cur ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\LICENSE ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.png ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926556.profile.gz ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tr_get.svg ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\RyukReadMe.html ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exepid process 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2628 wrote to memory of 1940 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe ptASSOoSXrep.exe PID 2628 wrote to memory of 1940 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe ptASSOoSXrep.exe PID 2628 wrote to memory of 1940 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe ptASSOoSXrep.exe PID 2628 wrote to memory of 1856 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe cShpJGjCYlan.exe PID 2628 wrote to memory of 1856 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe cShpJGjCYlan.exe PID 2628 wrote to memory of 1856 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe cShpJGjCYlan.exe PID 2628 wrote to memory of 1536 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe FMwDDCvAslan.exe PID 2628 wrote to memory of 1536 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe FMwDDCvAslan.exe PID 2628 wrote to memory of 1536 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe FMwDDCvAslan.exe PID 2628 wrote to memory of 22516 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe icacls.exe PID 2628 wrote to memory of 22516 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe icacls.exe PID 2628 wrote to memory of 22516 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe icacls.exe PID 2628 wrote to memory of 22524 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe icacls.exe PID 2628 wrote to memory of 22524 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe icacls.exe PID 2628 wrote to memory of 22524 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe icacls.exe PID 2628 wrote to memory of 43380 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 43380 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 43380 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 42544 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 42544 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 42544 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 49704 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 49704 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 49704 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 51416 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 51416 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 2628 wrote to memory of 51416 2628 ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe net.exe PID 43380 wrote to memory of 51664 43380 net.exe net1.exe PID 43380 wrote to memory of 51664 43380 net.exe net1.exe PID 43380 wrote to memory of 51664 43380 net.exe net1.exe PID 49704 wrote to memory of 51816 49704 net.exe net1.exe PID 49704 wrote to memory of 51816 49704 net.exe net1.exe PID 49704 wrote to memory of 51816 49704 net.exe net1.exe PID 51416 wrote to memory of 51824 51416 net.exe net1.exe PID 51416 wrote to memory of 51824 51416 net.exe net1.exe PID 51416 wrote to memory of 51824 51416 net.exe net1.exe PID 42544 wrote to memory of 51832 42544 net.exe net1.exe PID 42544 wrote to memory of 51832 42544 net.exe net1.exe PID 42544 wrote to memory of 51832 42544 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe"C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exe"C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exe" 9 REP2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exe"C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exe"C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\DumpStack.log.tmp.RYKMD5
ee12e19478965c69d5eba7e390f035a1
SHA1d54cea96291c56e12b4912b2374c935e1ca813aa
SHA25606d0fad9df1a072a3f69634b0ee672a1c710c560acc8b11c07db359ec2ea66b4
SHA512c498717db5eb705de377ff5c686a8f0e20fe2537f0a96f01a46e627aae5808768bf265b9825fa55f2225a7df4117a626903bfc7dc0d681d72b954c8eb4d6d24d
-
C:\PerfLogs\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exeMD5
a31089dc3cafe77c39268273d689193b
SHA1032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
-
C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exeMD5
a31089dc3cafe77c39268273d689193b
SHA1032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exeMD5
a31089dc3cafe77c39268273d689193b
SHA1032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
-
C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exeMD5
a31089dc3cafe77c39268273d689193b
SHA1032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
-
C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exeMD5
a31089dc3cafe77c39268273d689193b
SHA1032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
-
C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exeMD5
a31089dc3cafe77c39268273d689193b
SHA1032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4
-
C:\Users\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\odt\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687
-
C:\odt\config.xml.RYKMD5
7949b63a26742ac83d5d487f437f123a
SHA1cd505b46f6472adba94b34d7e21f86969e70eda4
SHA256436c13a6bd3c055cbae082d986e6238eca8ccaed35b381d21b2739ce5b86b74c
SHA5120c470779d86a76bc217c0cee8f2bf8d7431d1539b1bec861e36a8fa9baeffe5518c44813cae16ae8ceb099247ce8d7bab170b545ab581c23981a26dd932194ad
-
C:\users\Public\RyukReadMe.htmlMD5
8398b1f229e0d80c65e262ae92085a90
SHA15142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d
SHA2564e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5
SHA512113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687