ryuk | aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

General

Target

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Size

808KB
MD5

50cc057a164640715e70a43979175a3f
SHA1

690d83a764b7f4b65232e25c410c02cc5901ad72
SHA256

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
SHA512

ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> unumschooler1972@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

unumschooler1972@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

unumschooler1972@protonmail.com balance of shadow universe Ryuk

Emails

unumschooler1972@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 2 IoCs

Processes:

qydJmMi.exeqydJmMi.exe

pid process

2304 qydJmMi.exe
1472 qydJmMi.exe

pid	process
2304	qydJmMi.exe
1472	qydJmMi.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	qydJmMi.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

description	ioc	process
File opened (read-only)	\??\a:	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened (read-only)	\??\A:	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exe

description	pid	process	target process
PID 3696 set thread context of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
PID 2304 set thread context of 1472	2304	qydJmMi.exe	qydJmMi.exe

Drops file in Program Files directory 64 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.html	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

16812 1472 WerFault.exe qydJmMi.exe
Runs net.exe

pid	pid_target	process	target process
16812	1472	WerFault.exe	qydJmMi.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exe

pid	process
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
1472	qydJmMi.exe
1472	qydJmMi.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exe

pid process

3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
2304 qydJmMi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exe

description	pid	process
Token: SeBackupPrivilege	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Token: SeBackupPrivilege	1472	qydJmMi.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exe

pid	process
3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
2304	qydJmMi.exe
2304	qydJmMi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeaced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exenet.exenet.exeqydJmMi.exenet.exenet.exeqydJmMi.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
PID 3696 wrote to memory of 620	3696	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
PID 620 wrote to memory of 2304	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	qydJmMi.exe
PID 620 wrote to memory of 2304	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	qydJmMi.exe
PID 620 wrote to memory of 2304	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	qydJmMi.exe
PID 620 wrote to memory of 2716	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 2716	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 2716	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 3860	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 3860	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 3860	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 2716 wrote to memory of 3788	2716	net.exe	net1.exe
PID 2716 wrote to memory of 3788	2716	net.exe	net1.exe
PID 2716 wrote to memory of 3788	2716	net.exe	net1.exe
PID 3860 wrote to memory of 4704	3860	net.exe	net1.exe
PID 3860 wrote to memory of 4704	3860	net.exe	net1.exe
PID 3860 wrote to memory of 4704	3860	net.exe	net1.exe
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	qydJmMi.exe
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	qydJmMi.exe
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	qydJmMi.exe
PID 2304 wrote to memory of 1472	2304	qydJmMi.exe	qydJmMi.exe
PID 620 wrote to memory of 4560	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 4560	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 4560	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 4560 wrote to memory of 3048	4560	net.exe	net1.exe
PID 4560 wrote to memory of 3048	4560	net.exe	net1.exe
PID 4560 wrote to memory of 3048	4560	net.exe	net1.exe
PID 620 wrote to memory of 4328	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 4328	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 4328	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 4328 wrote to memory of 1900	4328	net.exe	net1.exe
PID 4328 wrote to memory of 1900	4328	net.exe	net1.exe
PID 4328 wrote to memory of 1900	4328	net.exe	net1.exe
PID 1472 wrote to memory of 3572	1472	qydJmMi.exe	net.exe
PID 1472 wrote to memory of 3572	1472	qydJmMi.exe	net.exe
PID 1472 wrote to memory of 3572	1472	qydJmMi.exe	net.exe
PID 3572 wrote to memory of 5244	3572	net.exe	net1.exe
PID 3572 wrote to memory of 5244	3572	net.exe	net1.exe
PID 3572 wrote to memory of 5244	3572	net.exe	net1.exe
PID 620 wrote to memory of 15872	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 15872	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 15872	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 15872 wrote to memory of 16924	15872	net.exe	net1.exe
PID 15872 wrote to memory of 16924	15872	net.exe	net1.exe
PID 15872 wrote to memory of 16924	15872	net.exe	net1.exe
PID 620 wrote to memory of 17544	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 17544	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 17544	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 17544 wrote to memory of 17824	17544	net.exe	net1.exe
PID 17544 wrote to memory of 17824	17544	net.exe	net1.exe
PID 17544 wrote to memory of 17824	17544	net.exe	net1.exe
PID 620 wrote to memory of 11848	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 11848	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 11848	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 11848 wrote to memory of 11900	11848	net.exe	net1.exe
PID 11848 wrote to memory of 11900	11848	net.exe	net1.exe
PID 11848 wrote to memory of 11900	11848	net.exe	net1.exe
PID 620 wrote to memory of 12924	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 12924	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 620 wrote to memory of 12924	620	aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe	net.exe
PID 12924 wrote to memory of 12976	12924	net.exe	net1.exe
PID 12924 wrote to memory of 12976	12924	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
"C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
"C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
"C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe" 8 LAN
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
"C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe" 8 LAN
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
5⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
6⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 8264
5⤵
- Program crash
PID:16812

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:3788

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:4704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:3048

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:15872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:16924

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:17544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:17824

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:11848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:11900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:12924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:12976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1472 -ip 1472
1⤵
PID:15476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
3b40f517a25611205b0ba7af8ae225f1

SHA1
aa7e89f3d1202b37ff89d629ebe10dae8c4e14db

SHA256
385752904c61abf42b315b172c40b4a50d50cc58c94077cff0815c834e1ac013

SHA512
8d17239868ef33175214e14fc5ad245c9d5505deaf8747c079e6e05bca1c77e62bbacc5af8519dccae63b8d4e959ed32d3748d62de1aa3f7b256c35524af9f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
MD5
50cc057a164640715e70a43979175a3f

SHA1
690d83a764b7f4b65232e25c410c02cc5901ad72

SHA256
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

SHA512
ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
MD5
50cc057a164640715e70a43979175a3f

SHA1
690d83a764b7f4b65232e25c410c02cc5901ad72

SHA256
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

SHA512
ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe
MD5
50cc057a164640715e70a43979175a3f

SHA1
690d83a764b7f4b65232e25c410c02cc5901ad72

SHA256
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

SHA512
ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Download Submit
memory/620-131-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1472-135-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/3696-130-0x0000000002300000-0x0000000002333000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads