Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 21:06
Static task
static1
Behavioral task
behavioral1
Sample
11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
-
Size
122KB
-
MD5
bd0d931b21e4d8f85cea56b3e17b5f49
-
SHA1
e0c604bcf4dc48f5929d382f7af84b157ceb87db
-
SHA256
11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0
-
SHA512
a6d6f736e4b86e3544ede2b0a285639a20295de75b26b606add66504d7e238ae2439e6d9549bc0cd13cd8ff6917a481fb275761991444d70497a27c10f368d29
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
[email protected]
balance of shadow universe
Ryuk
Emails
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1972 icacls.exe 2848 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RyukReadMe.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\RyukReadMe.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\RyukReadMe.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\RyukReadMe.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\RyukReadMe.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.INF 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RyukReadMe.html 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1972 1320 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe 63 PID 1320 wrote to memory of 1972 1320 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe 63 PID 1320 wrote to memory of 1972 1320 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe 63 PID 1320 wrote to memory of 2848 1320 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe 64 PID 1320 wrote to memory of 2848 1320 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe 64 PID 1320 wrote to memory of 2848 1320 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe 64
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe"C:\Users\Admin\AppData\Local\Temp\11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1972
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2848
-