Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-03-2022 06:51
Static task
static1
Behavioral task
behavioral1
Sample
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
Resource
win10v2004-en-20220113
General
-
Target
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
-
Size
808KB
-
MD5
50cc057a164640715e70a43979175a3f
-
SHA1
690d83a764b7f4b65232e25c410c02cc5901ad72
-
SHA256
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
-
SHA512
ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
unumschooler1972@protonmail.com
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
unumschooler1972@protonmail.com
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 2 IoCs
Processes:
qydJmMi.exeqydJmMi.exepid process 2304 qydJmMi.exe 1472 qydJmMi.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation qydJmMi.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exedescription ioc process File opened (read-only) \??\a: aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened (read-only) \??\A: aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exedescription pid process target process PID 3696 set thread context of 620 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe PID 2304 set thread context of 1472 2304 qydJmMi.exe qydJmMi.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.html aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 16812 1472 WerFault.exe qydJmMi.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exepid process 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 1472 qydJmMi.exe 1472 qydJmMi.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exepid process 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 2304 qydJmMi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exedescription pid process Token: SeBackupPrivilege 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe Token: SeBackupPrivilege 1472 qydJmMi.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeqydJmMi.exepid process 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe 2304 qydJmMi.exe 2304 qydJmMi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exeaced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exenet.exenet.exeqydJmMi.exenet.exenet.exeqydJmMi.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3696 wrote to memory of 620 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe PID 3696 wrote to memory of 620 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe PID 3696 wrote to memory of 620 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe PID 3696 wrote to memory of 620 3696 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe PID 620 wrote to memory of 2304 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe qydJmMi.exe PID 620 wrote to memory of 2304 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe qydJmMi.exe PID 620 wrote to memory of 2304 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe qydJmMi.exe PID 620 wrote to memory of 2716 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 2716 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 2716 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 3860 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 3860 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 3860 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 2716 wrote to memory of 3788 2716 net.exe net1.exe PID 2716 wrote to memory of 3788 2716 net.exe net1.exe PID 2716 wrote to memory of 3788 2716 net.exe net1.exe PID 3860 wrote to memory of 4704 3860 net.exe net1.exe PID 3860 wrote to memory of 4704 3860 net.exe net1.exe PID 3860 wrote to memory of 4704 3860 net.exe net1.exe PID 2304 wrote to memory of 1472 2304 qydJmMi.exe qydJmMi.exe PID 2304 wrote to memory of 1472 2304 qydJmMi.exe qydJmMi.exe PID 2304 wrote to memory of 1472 2304 qydJmMi.exe qydJmMi.exe PID 2304 wrote to memory of 1472 2304 qydJmMi.exe qydJmMi.exe PID 620 wrote to memory of 4560 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 4560 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 4560 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 4560 wrote to memory of 3048 4560 net.exe net1.exe PID 4560 wrote to memory of 3048 4560 net.exe net1.exe PID 4560 wrote to memory of 3048 4560 net.exe net1.exe PID 620 wrote to memory of 4328 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 4328 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 4328 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 4328 wrote to memory of 1900 4328 net.exe net1.exe PID 4328 wrote to memory of 1900 4328 net.exe net1.exe PID 4328 wrote to memory of 1900 4328 net.exe net1.exe PID 1472 wrote to memory of 3572 1472 qydJmMi.exe net.exe PID 1472 wrote to memory of 3572 1472 qydJmMi.exe net.exe PID 1472 wrote to memory of 3572 1472 qydJmMi.exe net.exe PID 3572 wrote to memory of 5244 3572 net.exe net1.exe PID 3572 wrote to memory of 5244 3572 net.exe net1.exe PID 3572 wrote to memory of 5244 3572 net.exe net1.exe PID 620 wrote to memory of 15872 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 15872 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 15872 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 15872 wrote to memory of 16924 15872 net.exe net1.exe PID 15872 wrote to memory of 16924 15872 net.exe net1.exe PID 15872 wrote to memory of 16924 15872 net.exe net1.exe PID 620 wrote to memory of 17544 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 17544 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 17544 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 17544 wrote to memory of 17824 17544 net.exe net1.exe PID 17544 wrote to memory of 17824 17544 net.exe net1.exe PID 17544 wrote to memory of 17824 17544 net.exe net1.exe PID 620 wrote to memory of 11848 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 11848 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 11848 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 11848 wrote to memory of 11900 11848 net.exe net1.exe PID 11848 wrote to memory of 11900 11848 net.exe net1.exe PID 11848 wrote to memory of 11900 11848 net.exe net1.exe PID 620 wrote to memory of 12924 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 12924 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 620 wrote to memory of 12924 620 aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe net.exe PID 12924 wrote to memory of 12976 12924 net.exe net1.exe PID 12924 wrote to memory of 12976 12924 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe"C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe" 8 LAN3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe"C:\Users\Admin\AppData\Local\Temp\qydJmMi.exe" 8 LAN4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 82645⤵
- Program crash
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1472 -ip 14721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04fMD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlMD5
3b40f517a25611205b0ba7af8ae225f1
SHA1aa7e89f3d1202b37ff89d629ebe10dae8c4e14db
SHA256385752904c61abf42b315b172c40b4a50d50cc58c94077cff0815c834e1ac013
SHA5128d17239868ef33175214e14fc5ad245c9d5505deaf8747c079e6e05bca1c77e62bbacc5af8519dccae63b8d4e959ed32d3748d62de1aa3f7b256c35524af9f52
-
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exeMD5
50cc057a164640715e70a43979175a3f
SHA1690d83a764b7f4b65232e25c410c02cc5901ad72
SHA256aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
SHA512ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2
-
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exeMD5
50cc057a164640715e70a43979175a3f
SHA1690d83a764b7f4b65232e25c410c02cc5901ad72
SHA256aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
SHA512ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2
-
C:\Users\Admin\AppData\Local\Temp\qydJmMi.exeMD5
50cc057a164640715e70a43979175a3f
SHA1690d83a764b7f4b65232e25c410c02cc5901ad72
SHA256aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5
SHA512ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2
-
memory/620-131-0x0000000030000000-0x0000000030170000-memory.dmpFilesize
1.4MB
-
memory/1472-135-0x0000000030000000-0x0000000030170000-memory.dmpFilesize
1.4MB
-
memory/3696-130-0x0000000002300000-0x0000000002333000-memory.dmpFilesize
204KB