Analysis
-
max time kernel
176s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Resource
win10v2004-20220812-en
General
-
Target
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
-
Size
119KB
-
MD5
c68395e474088d5339972e2bf5a30f3c
-
SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3
-
SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
-
SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
SSDEEP
1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
Processes:
eKOOBlncorep.exepxpvXGULvlan.exepnCURCWNSlan.exepid process 2144 eKOOBlncorep.exe 4644 pxpvXGULvlan.exe 11744 pnCURCWNSlan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid process 36396 icacls.exe 36408 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment@3x.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\currency.data 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\RyukReadMe.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 205712 11744 WerFault.exe pnCURCWNSlan.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exepid process 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exenet.exenet.exenet.exenet.exedescription pid process target process PID 4888 wrote to memory of 2144 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe eKOOBlncorep.exe PID 4888 wrote to memory of 2144 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe eKOOBlncorep.exe PID 4888 wrote to memory of 2144 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe eKOOBlncorep.exe PID 4888 wrote to memory of 4644 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe pxpvXGULvlan.exe PID 4888 wrote to memory of 4644 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe pxpvXGULvlan.exe PID 4888 wrote to memory of 4644 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe pxpvXGULvlan.exe PID 4888 wrote to memory of 11744 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe pnCURCWNSlan.exe PID 4888 wrote to memory of 11744 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe pnCURCWNSlan.exe PID 4888 wrote to memory of 11744 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe pnCURCWNSlan.exe PID 4888 wrote to memory of 36396 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe icacls.exe PID 4888 wrote to memory of 36396 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe icacls.exe PID 4888 wrote to memory of 36396 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe icacls.exe PID 4888 wrote to memory of 36408 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe icacls.exe PID 4888 wrote to memory of 36408 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe icacls.exe PID 4888 wrote to memory of 36408 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe icacls.exe PID 4888 wrote to memory of 74388 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74388 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74388 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74400 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74400 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74400 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74556 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74556 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74556 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74548 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74548 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 4888 wrote to memory of 74548 4888 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe net.exe PID 74388 wrote to memory of 78252 74388 net.exe net1.exe PID 74388 wrote to memory of 78252 74388 net.exe net1.exe PID 74388 wrote to memory of 78252 74388 net.exe net1.exe PID 74556 wrote to memory of 78268 74556 net.exe net1.exe PID 74556 wrote to memory of 78268 74556 net.exe net1.exe PID 74556 wrote to memory of 78268 74556 net.exe net1.exe PID 74548 wrote to memory of 78260 74548 net.exe net1.exe PID 74548 wrote to memory of 78260 74548 net.exe net1.exe PID 74548 wrote to memory of 78260 74548 net.exe net1.exe PID 74400 wrote to memory of 78276 74400 net.exe net1.exe PID 74400 wrote to memory of 78276 74400 net.exe net1.exe PID 74400 wrote to memory of 78276 74400 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe"C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe" 9 REP2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe"C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe"C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11744 -s 135323⤵
- Program crash
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 11744 -ip 117441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\DumpStack.log.tmp.RYKFilesize
8KB
MD5bdd2373e6fe9c2b28e334ec8ee0c49a6
SHA1ed616bfc377bfd1cc55efd6e6943d75e5e50a043
SHA2565cf1f6517b6373b1d37dfe9fb28cd0385061e007c349eb5f35717ce64baf0ee7
SHA512149d6690406941ec9dde363e14cb6a8808134e13a9e569448a7928587d4d6c738c1461471751c3a803e55787471ee99e71a24348e1aeebf756e5fd6f6d833e33
-
C:\PerfLogs\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exeFilesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exeFilesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exeFilesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exeFilesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exeFilesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exeFilesize
119KB
MD5c68395e474088d5339972e2bf5a30f3c
SHA1502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA2569eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA5125320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
-
C:\Users\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\odt\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
C:\odt\config.xml.RYKFilesize
978B
MD51edd6777d04d26fecd25b751796ec078
SHA16ce0df88f834834f317cbd473d11b113ba9df50a
SHA2569b945b750a87cad966a682e51e6da3d3ade9bfb9556e5a5a3772b581a928ee1c
SHA512c44aa048b645357d36828e363dd1ae0105e9d7b0c30ae23d0c6679c495b090ded40cd9610ee85a9a6ae3393c5b3520d6f3c2f27de950a55a7d1f2bb6d71c130a
-
C:\users\Public\RyukReadMe.htmlFilesize
1KB
MD598d3b55cce54a33a6648f5b02a11f65d
SHA18c0fd3cb0ab6b4bf962199b2187d0984490fa8ef
SHA256807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131
SHA5129e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15
-
memory/2144-132-0x0000000000000000-mapping.dmp
-
memory/4644-135-0x0000000000000000-mapping.dmp
-
memory/11744-138-0x0000000000000000-mapping.dmp
-
memory/36396-142-0x0000000000000000-mapping.dmp
-
memory/36408-143-0x0000000000000000-mapping.dmp
-
memory/74388-153-0x0000000000000000-mapping.dmp
-
memory/74400-154-0x0000000000000000-mapping.dmp
-
memory/74548-156-0x0000000000000000-mapping.dmp
-
memory/74556-155-0x0000000000000000-mapping.dmp
-
memory/78252-157-0x0000000000000000-mapping.dmp
-
memory/78260-159-0x0000000000000000-mapping.dmp
-
memory/78268-158-0x0000000000000000-mapping.dmp
-
memory/78276-160-0x0000000000000000-mapping.dmp