General
Target

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Filesize

118KB

Completed

05-03-2022 22:42

Task

behavioral2

Score
10/10
MD5

a31089dc3cafe77c39268273d689193b

SHA1

032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512

d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'N2QvTsXamJ'; $torlink = 'http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion

Signatures 10

Filter: none

Defense Evasion
Discovery
  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Executes dropped EXE
    ptASSOoSXrep.execShpJGjCYlan.exeFMwDDCvAslan.exe

    Reported IOCs

    pidprocess
    1940ptASSOoSXrep.exe
    1856cShpJGjCYlan.exe
    1536FMwDDCvAslan.exe
  • Checks computer location settings
    ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nationffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
  • Modifies file permissions
    icacls.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    22524icacls.exe
    22516icacls.exe
  • Drops desktop.ini file(s)
    ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INIffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
  • Drops file in Program Files directory
    ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jarffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svgffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle.curffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.pngffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELMffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELMffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.pngffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svgffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.infffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\LICENSEffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.jsffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.muiffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDRffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.muiffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLLffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXTffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gifffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jarffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\plugins\gui\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\mn.txtffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.jsffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jarffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.jsffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.jsffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACLffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.pngffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potxffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.jsonffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.pngffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.jsffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926556.profile.gzffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jarffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tr_get.svgffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.jsffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svgffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jarffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\RyukReadMe.htmlffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\7-Zip\7-zip.chmffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-msffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses
    ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

    Reported IOCs

    pidprocess
    2628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    2628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    2628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    2628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
  • Suspicious use of WriteProcessMemory
    ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exenet.exenet.exenet.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2628 wrote to memory of 19402628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeptASSOoSXrep.exe
    PID 2628 wrote to memory of 19402628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeptASSOoSXrep.exe
    PID 2628 wrote to memory of 19402628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeptASSOoSXrep.exe
    PID 2628 wrote to memory of 18562628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.execShpJGjCYlan.exe
    PID 2628 wrote to memory of 18562628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.execShpJGjCYlan.exe
    PID 2628 wrote to memory of 18562628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.execShpJGjCYlan.exe
    PID 2628 wrote to memory of 15362628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeFMwDDCvAslan.exe
    PID 2628 wrote to memory of 15362628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeFMwDDCvAslan.exe
    PID 2628 wrote to memory of 15362628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeFMwDDCvAslan.exe
    PID 2628 wrote to memory of 225162628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeicacls.exe
    PID 2628 wrote to memory of 225162628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeicacls.exe
    PID 2628 wrote to memory of 225162628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeicacls.exe
    PID 2628 wrote to memory of 225242628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeicacls.exe
    PID 2628 wrote to memory of 225242628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeicacls.exe
    PID 2628 wrote to memory of 225242628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exeicacls.exe
    PID 2628 wrote to memory of 433802628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 433802628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 433802628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 425442628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 425442628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 425442628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 497042628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 497042628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 497042628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 514162628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 514162628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 2628 wrote to memory of 514162628ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exe
    PID 43380 wrote to memory of 5166443380net.exenet1.exe
    PID 43380 wrote to memory of 5166443380net.exenet1.exe
    PID 43380 wrote to memory of 5166443380net.exenet1.exe
    PID 49704 wrote to memory of 5181649704net.exenet1.exe
    PID 49704 wrote to memory of 5181649704net.exenet1.exe
    PID 49704 wrote to memory of 5181649704net.exenet1.exe
    PID 51416 wrote to memory of 5182451416net.exenet1.exe
    PID 51416 wrote to memory of 5182451416net.exenet1.exe
    PID 51416 wrote to memory of 5182451416net.exenet1.exe
    PID 42544 wrote to memory of 5183242544net.exenet1.exe
    PID 42544 wrote to memory of 5183242544net.exenet1.exe
    PID 42544 wrote to memory of 5183242544net.exenet1.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
    "C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe"
    Checks computer location settings
    Drops desktop.ini file(s)
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exe
      "C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exe" 9 REP
      Executes dropped EXE
      PID:1940
    • C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exe
      "C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exe" 8 LAN
      Executes dropped EXE
      PID:1856
    • C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exe
      "C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exe" 8 LAN
      Executes dropped EXE
      PID:1536
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      Modifies file permissions
      PID:22516
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      Modifies file permissions
      PID:22524
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      Suspicious use of WriteProcessMemory
      PID:42544
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        PID:51832
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      Suspicious use of WriteProcessMemory
      PID:43380
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        PID:51664
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      Suspicious use of WriteProcessMemory
      PID:49704
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        PID:51816
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      Suspicious use of WriteProcessMemory
      PID:51416
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        PID:51824
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\$Recycle.Bin\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\DumpStack.log.tmp.RYK

                        MD5

                        ee12e19478965c69d5eba7e390f035a1

                        SHA1

                        d54cea96291c56e12b4912b2374c935e1ca813aa

                        SHA256

                        06d0fad9df1a072a3f69634b0ee672a1c710c560acc8b11c07db359ec2ea66b4

                        SHA512

                        c498717db5eb705de377ff5c686a8f0e20fe2537f0a96f01a46e627aae5808768bf265b9825fa55f2225a7df4117a626903bfc7dc0d681d72b954c8eb4d6d24d

                      • C:\PerfLogs\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exe

                        MD5

                        a31089dc3cafe77c39268273d689193b

                        SHA1

                        032e0b9a0bf012401507be974ee6bdb3e6726fd7

                        SHA256

                        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

                        SHA512

                        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

                      • C:\Users\Admin\AppData\Local\Temp\FMwDDCvAslan.exe

                        MD5

                        a31089dc3cafe77c39268273d689193b

                        SHA1

                        032e0b9a0bf012401507be974ee6bdb3e6726fd7

                        SHA256

                        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

                        SHA512

                        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

                      • C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exe

                        MD5

                        a31089dc3cafe77c39268273d689193b

                        SHA1

                        032e0b9a0bf012401507be974ee6bdb3e6726fd7

                        SHA256

                        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

                        SHA512

                        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

                      • C:\Users\Admin\AppData\Local\Temp\cShpJGjCYlan.exe

                        MD5

                        a31089dc3cafe77c39268273d689193b

                        SHA1

                        032e0b9a0bf012401507be974ee6bdb3e6726fd7

                        SHA256

                        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

                        SHA512

                        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

                      • C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exe

                        MD5

                        a31089dc3cafe77c39268273d689193b

                        SHA1

                        032e0b9a0bf012401507be974ee6bdb3e6726fd7

                        SHA256

                        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

                        SHA512

                        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

                      • C:\Users\Admin\AppData\Local\Temp\ptASSOoSXrep.exe

                        MD5

                        a31089dc3cafe77c39268273d689193b

                        SHA1

                        032e0b9a0bf012401507be974ee6bdb3e6726fd7

                        SHA256

                        ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

                        SHA512

                        d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

                      • C:\Users\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\odt\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

                      • C:\odt\config.xml.RYK

                        MD5

                        7949b63a26742ac83d5d487f437f123a

                        SHA1

                        cd505b46f6472adba94b34d7e21f86969e70eda4

                        SHA256

                        436c13a6bd3c055cbae082d986e6238eca8ccaed35b381d21b2739ce5b86b74c

                        SHA512

                        0c470779d86a76bc217c0cee8f2bf8d7431d1539b1bec861e36a8fa9baeffe5518c44813cae16ae8ceb099247ce8d7bab170b545ab581c23981a26dd932194ad

                      • C:\users\Public\RyukReadMe.html

                        MD5

                        8398b1f229e0d80c65e262ae92085a90

                        SHA1

                        5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

                        SHA256

                        4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

                        SHA512

                        113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687