ryuk | 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

Analysis

max time kernel
176s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2022 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
SSDEEP

1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

eKOOBlncorep.exepxpvXGULvlan.exepnCURCWNSlan.exe

pid process

2144 eKOOBlncorep.exe
4644 pxpvXGULvlan.exe
11744 pnCURCWNSlan.exe

pid	process
2144	eKOOBlncorep.exe
4644	pxpvXGULvlan.exe
11744	pnCURCWNSlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

36396 icacls.exe
36408 icacls.exe

pid	process
36396	icacls.exe
36408	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Drops file in Program Files directory 64 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment@3x.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\currency.data	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

205712 11744 WerFault.exe pnCURCWNSlan.exe
Runs net.exe

pid	pid_target	process	target process
205712	11744	WerFault.exe	pnCURCWNSlan.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

pid	process
4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4888 wrote to memory of 2144	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	eKOOBlncorep.exe
PID 4888 wrote to memory of 2144	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	eKOOBlncorep.exe
PID 4888 wrote to memory of 2144	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	eKOOBlncorep.exe
PID 4888 wrote to memory of 4644	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	pxpvXGULvlan.exe
PID 4888 wrote to memory of 4644	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	pxpvXGULvlan.exe
PID 4888 wrote to memory of 4644	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	pxpvXGULvlan.exe
PID 4888 wrote to memory of 11744	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	pnCURCWNSlan.exe
PID 4888 wrote to memory of 11744	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	pnCURCWNSlan.exe
PID 4888 wrote to memory of 11744	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	pnCURCWNSlan.exe
PID 4888 wrote to memory of 36396	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 4888 wrote to memory of 36396	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 4888 wrote to memory of 36396	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 4888 wrote to memory of 36408	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 4888 wrote to memory of 36408	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 4888 wrote to memory of 36408	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 4888 wrote to memory of 74388	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74388	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74388	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74400	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74400	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74400	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74556	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74556	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74556	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74548	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74548	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 4888 wrote to memory of 74548	4888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 74388 wrote to memory of 78252	74388	net.exe	net1.exe
PID 74388 wrote to memory of 78252	74388	net.exe	net1.exe
PID 74388 wrote to memory of 78252	74388	net.exe	net1.exe
PID 74556 wrote to memory of 78268	74556	net.exe	net1.exe
PID 74556 wrote to memory of 78268	74556	net.exe	net1.exe
PID 74556 wrote to memory of 78268	74556	net.exe	net1.exe
PID 74548 wrote to memory of 78260	74548	net.exe	net1.exe
PID 74548 wrote to memory of 78260	74548	net.exe	net1.exe
PID 74548 wrote to memory of 78260	74548	net.exe	net1.exe
PID 74400 wrote to memory of 78276	74400	net.exe	net1.exe
PID 74400 wrote to memory of 78276	74400	net.exe	net1.exe
PID 74400 wrote to memory of 78276	74400	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe
"C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe
"C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe
"C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:11744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11744 -s 13532
3⤵
- Program crash
PID:205712

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:36396

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:36408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:74388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:78252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:74400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:78276

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:74556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:78268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:74548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:78260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 11744 -ip 11744
1⤵
PID:196784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\DumpStack.log.tmp.RYK
Filesize
8KB

MD5
bdd2373e6fe9c2b28e334ec8ee0c49a6

SHA1
ed616bfc377bfd1cc55efd6e6943d75e5e50a043

SHA256
5cf1f6517b6373b1d37dfe9fb28cd0385061e007c349eb5f35717ce64baf0ee7

SHA512
149d6690406941ec9dde363e14cb6a8808134e13a9e569448a7928587d4d6c738c1461471751c3a803e55787471ee99e71a24348e1aeebf756e5fd6f6d833e33

Download Submit
C:\PerfLogs\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKOOBlncorep.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnCURCWNSlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxpvXGULvlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\odt\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\odt\config.xml.RYK
Filesize
978B

MD5
1edd6777d04d26fecd25b751796ec078

SHA1
6ce0df88f834834f317cbd473d11b113ba9df50a

SHA256
9b945b750a87cad966a682e51e6da3d3ade9bfb9556e5a5a3772b581a928ee1c

SHA512
c44aa048b645357d36828e363dd1ae0105e9d7b0c30ae23d0c6679c495b090ded40cd9610ee85a9a6ae3393c5b3520d6f3c2f27de950a55a7d1f2bb6d71c130a

Download Submit
C:\users\Public\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
memory/2144-132-0x0000000000000000-mapping.dmp

Download
memory/4644-135-0x0000000000000000-mapping.dmp

Download
memory/11744-138-0x0000000000000000-mapping.dmp

Download
memory/36396-142-0x0000000000000000-mapping.dmp

Download
memory/36408-143-0x0000000000000000-mapping.dmp

Download
memory/74388-153-0x0000000000000000-mapping.dmp

Download
memory/74400-154-0x0000000000000000-mapping.dmp

Download
memory/74548-156-0x0000000000000000-mapping.dmp

Download
memory/74556-155-0x0000000000000000-mapping.dmp

Download
memory/78252-157-0x0000000000000000-mapping.dmp

Download
memory/78260-159-0x0000000000000000-mapping.dmp

Download
memory/78268-158-0x0000000000000000-mapping.dmp

Download
memory/78276-160-0x0000000000000000-mapping.dmp

Download