3ed8d78ab08965d89d0cb0c2d6e1e713af0945e671d0c5dfa5057af6522f67ee

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
Size

22.0MB
MD5

2c87df27a464c8dacc76d59e9ec5e2c2
SHA1

3fcbb9e46ade3a28b40d193d1a4fd2d004def7be
SHA256

3ed8d78ab08965d89d0cb0c2d6e1e713af0945e671d0c5dfa5057af6522f67ee
SHA512

f113ebdbe81bc5c1323dc88a0d3f1b2087b4fd8424bf5fed2eea3ee1f049a55cae03553214a5cb4df8bd5e56d8d774b8f8a91afd389941e47e1051fe2b56eea8
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzM9:9nwngnwn8

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4248	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\O:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\Q:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\S:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\Y:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\U:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\B:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\E:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\H:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\I:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\J:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\R:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\T:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\V:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\Z:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\M:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\W:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\X:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELM.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Excel.BackEnd.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.boot.tree.dat.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.exe	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4248	3424	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe	80
PID 3424 wrote to memory of 4248	3424	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe	80
PID 3424 wrote to memory of 4248	3424	NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe	80

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2c87df27a464c8dacc76d59e9ec5e2c2_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2231940048-779848787-2990559741-1000\desktop.ini.exe

Filesize
21.4MB

MD5
05845fd89d4b42f8963570b59255995f

SHA1
3e81c3f95b04451a5bb81b867cbe4293ab274bf3

SHA256
bd90544bc97621944f76737199c9f702ee4f02ce13bab0c3fda424e3ccd05ec8

SHA512
28fd07d539eac7e49bee5179070756c1ffc71d510c1bf85544d1530a23aa9ad70636b428018d6ea526b476d70783c166f269c2fe6a3b2f0daaec09a61677377c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
079c5979b63c32326273a0f1490240ef

SHA1
70dcb81d381ec6d61796a1ef2e7cfa2381f85ce4

SHA256
1e4551a5a3b63c554351e8ba505b0e4d01867c84f21f3bd974ac2df2a0cf549e

SHA512
cbd6c644a8303319b6d64c327c398cdc0f313366dfd533a13245224430feb15c46e8d77703526e4080632a4dfdbd24edb233f9f7d05549787b25986c40ee1ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b7b119cb7182365b570a0e6a96ed3022

SHA1
229a65f8b7bb1512d3691f82daa9422c8f908155

SHA256
0e7630b0d6927b862fdf4f2b93b1a5cd97806676c58f2a197cee7629e375d224

SHA512
1244d64f91365ff69f368250cc2050ecea6b277ded31c35eb30d5185095d2a09b3be98234cb82a54ae8ffa0b7598fae6528102e0dfd57b7c46c2fb9c71f471b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d24778b7c7e78f4a854b9ca86bed583c

SHA1
093bfbf45ec9511513c70cc9107f4b19831dd11a

SHA256
3e11c4ac041c2058ef43f1e41b86eb06495938b6bfa4d9be1c7a3b8a057b30c8

SHA512
4c93807718f75b975b46ca682f33b897f61889d27e1ce1fde2c0740969edf0a731417de6aa5a058ebaa59c05a4f5d1c88e08061922daf3e3dfd2a71de6fc424b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
47fb3d531b249c865322108ee96e9ee9

SHA1
5f361e5f41126244a2da073711b213e8858bf27d

SHA256
874f0df76437746b0913e595df535837966a23c095a36e8385a628cfd424891c

SHA512
22f708a8c4f88e82dc1b3a5a8d50db04ea91bb9f75401fd24b5fcf920c54d78fdcbd80c2397812ecb424d6f22d60bee2d2307d53be6df9b75cacd57eb3806c82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8fc1c682227ba1a46159c69ea1704f71

SHA1
1a99d84d62785ed9db56275002760cfef1a4cf32

SHA256
55cbe23004e878caa4670827af6cc413b69d929f2db1b86a985eb8286fd697b1

SHA512
283d56ad3c71ff5a2cecd4a1012141e70d7451c28bf5764a72d4b2f718d99f38e204674f60526f481588188c0d39f1ead57f8c713bcb1a66735397e43eb12f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a9d4d6a9a6a1dbb4ebcbd03db586031d

SHA1
1484746bcecea7df6d6f62f869e2b94c1833bd53

SHA256
e78c155df1330b7dbd574045d8c0edf2f67453f67604781bd68492c5cb09e58b

SHA512
bbccd25d406f2e8f9423191fdedf2a0d4edd2f595555d03ade9499255c898a9afc512ade93265ac86bd920f184483f3f0b46f2c0f0585528e1987cec1865fdf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
070ba1a14d06658934ac22ee7dae7845

SHA1
d5795f7779c4ef2eb65467148f3a7a1679285c72

SHA256
ce1de2f891cb87908b9c1d3eead8be131e680d37bac434b9229f13ec70ab443a

SHA512
2b30747013da2fa4f89aeea6b4332fd74c8a48f5c4c69d879bf6eabcf432487449a14e23361dcfd902977b4057a0cb56b727a779b44a699e85d6ef1cff93d786

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c1407f4b44882ff8775c304bf682d152

SHA1
895734e76556ec81f3ae4cf99308bc6f6417d71e

SHA256
3a1594dc09f7da89b911d995694d7dd17758a62f56937c4c1e7698866c578aa5

SHA512
f99098a0be8f1886dd4a945a81c9eec0a3fae7f73421942b02859fed32b0e63f05422ac33766acfef40f7e7f2814407c2a9e031a0d0bc5b6dd9c0b5c24281335

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
43bff1b49fe287e9706f418ffc96c099

SHA1
28fd8355b0607f9b48d3253cdfbe1957c2f6a8cf

SHA256
afd50330b879567a0eadf173efc41e44a221a7ba77e4858365b320651cd236ff

SHA512
b527f5fd320dd4e49083a5e3010474da80443c7a2678cebaf22d713f772f8a57edd1b2852673bd85759562c6777923c48676945a2743f6151763dc396952dbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8d7113703bf5a53bdc76a5de82629336

SHA1
d4468f3b973ad5028d343789ed93b251ec69e42a

SHA256
33385c19f2a67925001521f095c4210dd0f57f79800d89c6be6f8b7f6f106a27

SHA512
2ca80badcbf0b11520cf5c503a181e285d89b90a976685cecf052664d3a8de2dceee371a76c57af993423d073a05e77c71b51386db19d2ec8844cde57b3d8b8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
99c7164541fccf276317e2c2c143d8a7

SHA1
89d4faa15867b7fcdd802c62d6647f7f3304dce7

SHA256
a7d5f8befdfefc500f61e03e843afd2ba1cf9743bb0e0d18871948235162e9c4

SHA512
ad28016b9ba4c42fa8d557b9ad39847963fc38970a42dbe407b5a0e26694a546af673dd8e3e5cb63e1937295f892f64737ee278b2b1e2125eb1e0e3596ed4dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4952082f48f8ea691abba9710601c1f4

SHA1
24a6cfbbd739013eba1e1791ea5d544f2c93df9d

SHA256
82bd49f83af245b3844837b3ac584e81587d6b401117351557d88d8f4b475738

SHA512
ca07a93a52f3d9abd7a52c5fbda36cf06a51bb4668168e58088535d9180c0ead6ebe598bab51b192fcb446bb907eb75b0b72aecce9546e4898ab3365782f6243

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
877715e90e92ddc05ea403d1d0872638

SHA1
1170abb43bd430c2fdd4d6f1af350e7faf05f9dd

SHA256
d740c5f1a54bc8d2966590247a49c6784d26215742874a9c290109c5aa53426d

SHA512
0179827b76e1519b83b773d263454ba46f2dc53c2cbdc5a607f0e1a25854d1963c229b8e074b78c372e26bee3e29e379b1114a77c59478bb24d74d8c87a8b9dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dcb875c9940c11598b3b41a229b5002f

SHA1
ab887ff011eb1a6f3d6a0f290ef46f53cbbbdd45

SHA256
ee9d64b08dac4cacf76af69f5165313c2f7c52c2929cdaf58b1e0c9365a61a90

SHA512
a2ad65546985c8ff0831570e2f87b183c9bc9675e6b5a4b66d201bd932da0de26e7af2a7aec31358e48874cf2d2d66aaa0194c7854c4f1d73e0850a1030a9160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
81824c460fd38660029783bb385db53b

SHA1
15f120ea590f851eb5af3d57ba75133bc33eef81

SHA256
cc4bc1f9b3e57329c5af5cf0ac0759829cd5332e9ac969784bc5eeb7b09cc7e9

SHA512
f2fde12206438d9b05b75b4c4c6e0cf4b88701757d0591c1126e5e3479842a5b2c58bfdea60ceade0ba90fcd110617eae81998c8d0c455dbb1aabbe415e803cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
45c584ccbd8d4d9b61a830bba7a44478

SHA1
af88f2d263216d254afe5f33f1bd7d2ec09f4520

SHA256
d9e7782bbb350b46d233edb7b13851748ec4b478da83b21964efc187d7e1a4dd

SHA512
6856d36031f48f6861493d4adf57b00643bf10fafe94d9713c0c163490192b381c48c054f50ddbae269f26f6dd429c36bce95bd49783583ab18227be8db875d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dba7801651261bc904d3927784d9460e

SHA1
f7e65ac99f76280fca45ba50940ed2cb9e28f5a6

SHA256
0a665a1e8da64c8568b695eef3c99f53387bf4ccdabbe6283dcc328f66c12197

SHA512
891bf4ec45592a9b74a5276af8095dd7cc465e6de42cd528eab54339b839a216f3a0157f5fc23fc2a328d78cd3f825991a7b94b5b1d2e02c1544f0bba2a7da91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
37a03c0d229d6e45843a83030e29313d

SHA1
18c0227f6e5e06f4538dac385fedc3f76b9ca031

SHA256
f8c1a07c9f890a3fdb06ab86ac14fcc1ab4577530705f5ad33c0fd7aa9386409

SHA512
d37d73a682af19df1c7e8eff0c02a18da49762f8da17cfdf1f4d4c5a56c46a588672b034c85fc9e43d65ce3ba219bbfe59ff820dab63e8f27b65b8aae21afb75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c98ff2fff0e75c50985ad0eadb434966

SHA1
aea2226c1731d816a7eaddd29e3fd88673b9a033

SHA256
9334a4b294507b3e7056d406cb950edf605092abad3b9de7aacdf06f9a41e8fb

SHA512
d6d7e5f3867fa9d3b14ae2e3bd4a3f0ca155c462d5959c05027dd9a0c62158958af24b160c83a6fe7597a8f1b9088a4da1ad7e82aebfd3235d0f392e0a75bee8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
73c7d1fcbb4f0f37a9593b99148703e1

SHA1
dee364a59efbf11a40b0bc32076c02f1ef49f677

SHA256
ce3a0f3f7d0d2a4d59c8b1f00e05c8df39ad94f1a533a866f49099aecc345ed4

SHA512
02566a390f36e9c77a3e7bd5692a0040d67afa87b3e0a641392d5f6e72d018cbba34cdb2103152c3b7f5dda4c61add879ba0a3f6357c183e2e020a84f8c98dab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
48dba7b8e2d5f2cb0d85329feaa948df

SHA1
006e6586cc195183a9844d2362a5110bd5611b47

SHA256
cc48f71de7fce40ed25efa895ac52fb8e4f52d0a6a8b611c50b79b064212294c

SHA512
08e9c1bcba642467b5814d5b800c6617fba82f52fbdfe3af81b55750d5553d6d9fc1f704aa048c2d09fa9cf225c2a1a59246d5012f0d6d4e9e55178adfdc4fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e2af7630a566f932e708e3901975c1f

SHA1
83da50c0851fabbe5f74910723fb37181097ed30

SHA256
76b0f01d1de18250e5a9d629c1643e435f3ff44bd401808c54bd9b01d7011092

SHA512
e77ac2c6500f1d0d0de5338e886bc47b8e444779d5e60a16c86b265bf7cdc0d8041630507218f20a1c5d6657d85094ce5fbebc467efd4aa8c2944e4d8fe1a172

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cef3290aa4a5f4f3a332330cb3c0bd6d

SHA1
0484f74991927e63f449546e013f94f756d125d6

SHA256
e0ed823dc5e21b8e77e61670c7f0c238c3f9c0e0947eb9b8607fb58627c989e4

SHA512
987e8e2310d318d8ed082ce0205f8bca7319c16f5c481b4791ca79f3d707c087898d3e66d639a1ca701ab1807868fcbf3c4da025cd057802bc430f4b3118e1b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c70545f00ea43fc8599043908cbad37b

SHA1
5247658a31aa7342fa6a78ef1e1cd0fba9b327c8

SHA256
a902cc23771255f8bce7df66379a0df60532d6db973fb695ddd85e288c33982c

SHA512
e3f57cce4b2e1efa48b8b325c96fb5fb32ab74a2eba9a7f3655e5336f383ead7e79318f248fbaadd778d7331b1905ef92da9469fab9e83c842288500294a75a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
92cc3d6a07d97d4794a0dcaedc8be12d

SHA1
70c15839918c11624cf3f058ede63ab7bb60c59e

SHA256
78fe2b2d84bbd9e434d04d45e11e35b1e7a10995d3b2e7a5959470e263dfa1c4

SHA512
ef56487f6f7d1ffc5df7b9d4af4723591472a7bbac74342e380687b904b7c099097cfc88c26a4babe0777e483c1358a343d5927aa54dec762a25fd11d9d4f7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e685427cf0cd88203b19dd10759e872a

SHA1
d2ca21fdbf8d0b6680a9d5b487e189be02f72804

SHA256
af3ed471c9b987e081e4aaa4b74159b8143fb79f1fdccb41a5cff42ec84a1489

SHA512
60fefec218bac6adf81dab3cd56dead39796559eaca4d1d415fa42a99a301685c841c26b0cf08b079b62fd2586a05f66840e930a6a30c89954c4279326fa5615

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1e299e83d42d15efb3f5d0b110c4a6c3

SHA1
a749f85425baae0c7e69f26f3bb05eb429543d80

SHA256
9e0772f603aec45848fb2f37265728a3665b08a20ec2eb8473b7e305e425bf37

SHA512
c97798932e50d0d0287a90fb4efa5c7bae4501298c28d4c0d7611edbbb0aee453a8ac4c7dc416bdd0662de32408f33fcef36ba9225d69cce8f8f2b0460672d52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
591572167820b0b75117720b7d0a098b

SHA1
3fce29fdadd31b47a807f3e86cbce9709806affb

SHA256
991894ddd9514baf6d45395fe80d4f6cd5d21e52b12be3f6b96cd3f62f7322ab

SHA512
c9bccb5ad07d2326f6949c9a022f02a64fdfa7e1f33e98d11b36855ecef77a0daa49c20350165e2d864bfde3004e6016885883d832e336bfae42869df112657d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8c7e22118c454724f710742988cd5d03

SHA1
ced2163c47a39a88d957db4265c912a25ac7ebd7

SHA256
d2a2ef492e2708602b63741c2bc07708e861cb4e8896d0129d138596fa32c99e

SHA512
4ba4f19d93143590ad36bef9d49256b0bb2fccffd9befff2a2befc9573ddaa57cf985077237220978a12a95f4fcba659efba67c0e2d8494b0522e7df094daf5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d1809b8b817399d515dedec59ca1c5d2

SHA1
f1882af7c7e59725674e19cf22e98b0a9bf223db

SHA256
72f89176e0f38f7dd40251382114a3c30ddc5b174eb7587795833198156db7c1

SHA512
4dd36ed22df7f72b990f37b1bca68bdefbbd9c791e51da71f89568c978a97fc8e7e51081faca03ce8e12b260335d63c0347ceb32de3f926593976b312a63cd80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dd2c5722b8b4944e1800f20b5eb8dc27

SHA1
85833cc22e25fe27c77c3e5a2bf4e5617ed8b91d

SHA256
07e4ebd67293dc07373d731a6b8da95ef53134aa2528e599a7ff2ecaafb6352e

SHA512
367cbbac2f602263f585d7b078f18dec9db38f4d8bccbb55433c9e936d6b556c70edf71caaf702f6d9ce6b9e2e2b8b4cb9f54f8182e18001e3863565d93cf36f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7310dd732cdc0f49091b1197f4fa4eee

SHA1
e07a0075f47fc786311d656e99d10ddb5371650e

SHA256
a506ce030dd3562299160d709b9929c47ffe02df404154fa523cafeb43ea899b

SHA512
e3567fceab04ca3f6dbbc233c2b42e58d865dc9c3e7156c62db266552f72e9932cad189b5e9b3464402bec9c3297822604d7c28a5ebee7992b6e6ae0978fd0a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
42e7766bdbb88f608202db161f28e17c

SHA1
df798c0f976f0549638e2e24fdc8be8e30bca643

SHA256
ad9f5e99d4a206c3db29822e1348a63af2851ae2746d8176dc871d8a34e98bb8

SHA512
1a637c9cfdf35ef4628b49cafb44e2d7fc6c1e34fceb978f3f60c77c4dccb70c28a83b7ca4a6d24d592307a299ec14b97cf77cc3acaa061dfea089ead1ae39bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
05aa588b06914e20f86c9a093ed7c2a4

SHA1
efbd54b3e29eb29fb6a48ac0209920097e28be5c

SHA256
ccb04b2e5573fda500eae0bff73df514022244e004db58c298ff815f431a7751

SHA512
56d1186bed71fcb22e5e94db218bc721068ffb18290869e4762fc808e9429ecaa5f0d8a63d62df019fc4ac7319f8836a854053f5b24ed2d976be85b81379fe24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0df0a087f379fc40a62087eb9b8e6177

SHA1
17a67276537929d578db259585315944ad63ece2

SHA256
2158c830d2a2dc2cd8f58ef568fcd4996fe0c9dcb649811b365f786be0fc733a

SHA512
8211d602716844aa8874a43cc80bbd7a41fad95ecd7caefc441cb0d31298278e9c1bbb4a8338852d37bb379c151d7d29bc67a556ce466a906b989ada6fe83417

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8c73058fe85f445363809f733767f6dc

SHA1
dea9032e54d4a56edece081d01a8664accd9e627

SHA256
67c5850599c2256afda77204df8bab4b3c726ecd4c5ddd7233a6a67e1f507e1e

SHA512
8d14b4de54d2c85dd2f0f4d9e33045faec7fca319192720bc5e24d5cd227ec316ab643079e7d6eb19daba758c5afc2545ab3fd951ecd39f7b1804fd08dd6d78e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6cbde2ff33b59570b4c871d0b6ce3970

SHA1
7dd3d3fd6befeed12949534b46c38688646931dd

SHA256
74e80240b6821c90a8138ae1b71cc4aacdd917429e312de2cbec0d9cb4d89803

SHA512
4ae3c9992207a6178b0682a50de931c82c134f036ab07a78a1fe176cfe9a9a33bc66ae5acac30c3c86b79818d62ab497b96b2dceca40444ae769e8bc407c4ef1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3e5301532bad08a346eb8c7333340e1b

SHA1
23c88248c4315a7106b46efa39c0f63d2b48de1a

SHA256
76d1432bc768a112b2efd983fb52ae83de2159f8c1d97d504194cd2d58749647

SHA512
abb49dd8a29ef6ca87db820e8b191c8cf41c8aaed1468c1b7cc561175429f27a3a48738766458711bc198dd6b7ebe38b037a11d2bbc0ac0aeb070e20c7e32f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3e5b53d77c33c267587894a55f17071b

SHA1
76cbe89331d4d8361c58de39bf6b0a3e5705382b

SHA256
218c068c5868fc6c1f3a8a50bfff32ae4f48888954fe596381befc21194e4be5

SHA512
18535268a140089cbab8a2b9b523aad8fe7e6adf676ccc25c23e257a64fe67c3733300c81d4c14308db3ba5aee4f448478e26e2bece4c93e7e68d6676ae11f84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
41f55c08b5090e940000023d6c1f7d58

SHA1
9445314bf106c9f40016bcfa1818aca76d2b565f

SHA256
401e33cc50c4fed02cb49cf9aaa9d5586174d524686775280ff99653be7e3ab9

SHA512
d65196aaa3b62b179cb17325b6bdb7c23d42eb190ea2968d6fcc4c7b9d9f01004bac03570d4f233b7ca2015ade23be26c4dc3f03530ac82be6e9f027db1b3884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b88ba963c2f062e737a6904242d15090

SHA1
3031a159ae53b9a9ec5d73292836d1dcbe405cd4

SHA256
fbe57874ed6cd99b9a92e2e40d30f724eb3dac8f2777276b84371e906dd26d0f

SHA512
ae8e235b1f6a548956b174a5d9235add4e6e131a917ce38b26736d95ca99cb5ac6d3f5648340e0b858978876800d49278fd0ade8973452aba1b4b44227a9aba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
04aec3b35eca3e0af01417808874fbef

SHA1
7581b112567e221fe9f772a14f88a6a61ef9515c

SHA256
5698c6a050f86d90e0a37b3573602df5bfbaa892e0db58258f0e87ad50da7f56

SHA512
1b9e8537746f816fc847b61cc3ae9beb7e8ad8ce95f4ec5b818cca9bce6778daa808982b40f3bf5a0079251e7d3f07add689cd5ac2be9d337f073d81c5552284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b31b9c4a449910d723e0b703e719c97

SHA1
d7f77dcdb2469882c0e2253e763c3b0efe6a7c37

SHA256
6ed69272f3a012ea89c654b7dac8c31ab8bda158a30f48b12593a5de6c5f741b

SHA512
ae1204c4317e6434282abab5709a0074704bffe7741fdc9c11914d64fe724ef0df42783db26833551c3d7f9a2f9cb195597a494c46d6298ae4830b4b04fbc314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3e3d39a34683cd78c90e7380264a682c

SHA1
a17e015dc1ca41de5372832427bf7a0c5e140f28

SHA256
263c713d3ece9235836d1665aa94efc035a337f5f9e36c443bacd2e10c9e5941

SHA512
30faf0c178b5bb8fe18dcd09f40250546b73159e76695a6377c16c0f056555355a902be4cda4c406d3d19c1bfe2d7c56ec8f5ec29b6eb54e5064345af43e28da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b8e1c627b05ed1ee9b4a032e8e361bad

SHA1
636abf130fd05b7dbc871ad438222f6ffd482704

SHA256
036745948e4f8939ef8961e699b4ce4ea0346299938b23b701495e07accc7877

SHA512
bdb0f0196396d3d7758c613b920a731e5df081c18eab2023ca6994f60c93995f2413833db209eef85988413273b0267a5a8d9b7c62bea99acbfddda1c4ec09b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
846554b3f6ab31fc1002bbe2b94de9c5

SHA1
c9d4cc26df8c40392a28720ea7fbdd2fd79a4c5c

SHA256
5215ee1ed71cbcb38a152c0b1d1f1de47188932d41ea5274c1091be223c1bc94

SHA512
c9c517bfc2a7ad897fe32835c812466772d40130968353b60d19e8ad6db188413fc4b4794afdb3f9d80ed1ad2930c3e5158ba88203cf8378510e90edea9678d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
abf1c18ab11f2463a10000279ba802bd

SHA1
4095365a6c01e5536986679c72cd42832eebc1bb

SHA256
b6b728eac2bbf8d1875340ee98cbdb32cb63323280939c08e8d354e199fb3bcf

SHA512
b9515f5d38350d9b1ab384c4eeb767dd36b6079e32d8988e42f219f8a0625496dab83a7feae99e48a7791a609a82708bf9350bc60e4ce2fc9b2a146e68826b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2b0f67f888ac4c254cb4ea0b39c0209a

SHA1
1a5bd686710b53b71c41a5ead5da6e1a75c13db9

SHA256
8034f0bc8503d305a3ce8ee9eebd8d1b410aa7b7df315c74a137ac225ace467d

SHA512
533b86056bd335f0d04e075d622c91881f8c1a2b0c66542c7eae37da384e52a92177f91b7b3095d22ec81112c9fd32151f9619517867a849931f484db5565d6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0bb0ece59496376889ecfb756ba4ca65

SHA1
0923e6fd1268f5be2733f7b94bfe7f4c90a97df3

SHA256
075122d9ba869cd41f801644341bf023d9970b8462e76c6131348cde08b06b02

SHA512
4d0b714bc787b9a11161a570807c259b0e70df280b16de6cd999d0c5fd2b5349e8717448c756a826d421bf2ec8fc3acd615a7a1c3e450ee7af560be50a3359d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f461a3c67e1de96bf973b7c5de1a5a89

SHA1
7a594ab3a8156e7cd7ac150e900ab7ddc4e5b6a4

SHA256
0b3581043ee50efd318854bafd367fa40ff54f9d29c2205778ea0f21d43ba8e4

SHA512
c7a2cc193b397ae69009ac44c7b2a47b8b0b83f7fb5ce85e6721f42354d5f99eac8e4a456c4cc6db80dff45614d5774794a6e361be59dfb503fc4e7fd96da697

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4f7891a5a18bbac986c097eb2f0cf8ce

SHA1
8c967520bf01e61838101f310356654f58dacf02

SHA256
9b8fca4666894b168e06a4d86f4e4aea445983387b940b810b3ee209fced475e

SHA512
f05b8f00f6e1480daa6407c8af14c1d3ebdf2689b5e3aa22280c4d69ad4941f004ed52a9472e9f3c34482687d16d50752862372d66f53ddd344a14dbb2dad3a9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
22.0MB

MD5
dd937c21489d308785b452b9e9a3eea1

SHA1
64702cda719d5c823d08463ec64207393137ad0d

SHA256
6369e55aadc20bb2dcdfa2af4fd463e774b5a2524affe93a9eedaeaa0b8b84ec

SHA512
35ebedc6f5af1c19c54f3404ab8da5b1fdf4fb981f6ed422d29f7ac198c08d8d110d3fa5349beb1610facd098594375180af13e63eda882f594f5ce899d91cea

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
22.0MB

MD5
dd937c21489d308785b452b9e9a3eea1

SHA1
64702cda719d5c823d08463ec64207393137ad0d

SHA256
6369e55aadc20bb2dcdfa2af4fd463e774b5a2524affe93a9eedaeaa0b8b84ec

SHA512
35ebedc6f5af1c19c54f3404ab8da5b1fdf4fb981f6ed422d29f7ac198c08d8d110d3fa5349beb1610facd098594375180af13e63eda882f594f5ce899d91cea

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2231940048-779848787-2990559741-1000\desktop.ini.exe

Filesize
22.0MB

MD5
0d96b754e10e5774c70f07850536b27c

SHA1
5de4c5079e901bc10d989fe6ff779ccba07d544c

SHA256
c0c1fdc27caeebe21007b21215ff7ee7b15f127263090792cc14c7e60727aca9

SHA512
e707be99d2f97319b5b39ef2c1f2f7fbcd985ab8fb43300a2d6ec79714e48c69d381836a471e75bdd13b6872b00278eb3d64ffb614f1385253c6b879f22aaafb

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
22.0MB

MD5
2c87df27a464c8dacc76d59e9ec5e2c2

SHA1
3fcbb9e46ade3a28b40d193d1a4fd2d004def7be

SHA256
3ed8d78ab08965d89d0cb0c2d6e1e713af0945e671d0c5dfa5057af6522f67ee

SHA512
f113ebdbe81bc5c1323dc88a0d3f1b2087b4fd8424bf5fed2eea3ee1f049a55cae03553214a5cb4df8bd5e56d8d774b8f8a91afd389941e47e1051fe2b56eea8

Download Submit
memory/3424-1-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3424-94-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3424-95-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3424-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4248-6-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4248-96-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4248-101-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads