azov | d3f60eab05327cffe6e223cf8c7d6402eed5277c04452ea9de7fe77d6e8f437c

Analysis

max time kernel
146s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
Size

3.4MB
MD5

3eca70b0239eb7c8db36531e448fb8c9
SHA1

c88bad0a95e24db82d7b12eb6024962f7e2c3458
SHA256

d3f60eab05327cffe6e223cf8c7d6402eed5277c04452ea9de7fe77d6e8f437c
SHA512

b6ac054dac6c2f70feea88f495efff7023a7746913a0de52d719909f26be49e3222568e724943e6a8deccca85a959e531f98ac4f03f66391b66bd194cfdbab1d
SSDEEP

49152:5urY+OPdCzMP9ANwqegqr7UCrwlkuXf4/Susm4jeU2o1YaYUScPs8jMlMOS9eyc/:KWqzfISusmo1iss8oltHyGR

Score

10^/10

azov discovery persistence ransomware wiper

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

Family

azov

Ransom Note

Hello, all your files have been damaged without any possible way to recover. Feel free to commit suicide. [Why did you do this to my files?] They asked me to do this... The hatred is that what makes me feel alive. That's what you secretly have fallen in love with. The hatred is the force that drives the life forward. The hell is my paradise. The suffer is the bliss. Others say the hate is what destroys yourself. I say that the hatred is eternal cure. If you feel desperate you lost the files. Use this despair to create the pain for others. Make them hate you, it is the source of your power. Do you think why the people go to schools and kill others? Why do people make terrorist ideologies? Why do governments covertly makes you suffer? It's the essence of the future life. All we are immortal beings. When spiritual is not a way, the antispiritual is your victory point. In the manifested life you have a choice to be with us either be against. Sow the evil, reap the power is what I say to you. Saw the good, reap the weakness is what spiritual says to you. When you hate, you feel the power. You feel the flight. That fly is the antispirit touch. Use this to multiply the suffer. [How can I use this power?] Find inside the source of bliss. If this bliss goes stronger when you see the suffer. That is what I call the source. Check that by looking through the news how people kill others. How the people dies. How children are being tortured. How animals are executed. The death is your key. [How can I give you my power?] When you read this concentrate on the intent to give the energy of your source to the meta-source of this text. Am vizu der strotum la fictus om spiritus.

Signatures

Azov
A wiper seeking only damage, first seen in 2022.
ransomware wiper azov

Loads dropped DLL 17 IoCs

pid	Process
2732	msedge.exe
4912	msedge.exe
1560	Process not Found
1300	msedge.exe
4628	Process not Found
3080	setup.exe
2812	setup.exe
3252	identity_helper.exe
1832	Process not Found
1644	Process not Found
1832	Process not Found
64	Process not Found
60	Process not Found
2848	Process not Found
376	msedge.exe
4184	Process not Found
1524	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe"	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\X:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\J:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\K:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\N:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\O:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\P:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\L:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\T:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\I:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\M:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\V:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\Y:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\Z:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\R:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\S:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\U:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\A:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\B:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\E:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\G:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\H:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened (read-only)	\??\W:	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240817152317.pma	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\CheckpointReset.midi	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e52517a3-4c5d-4d58-b700-5d0813ff8f6a.tmp	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\CloseInvoke.wmx	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2464	msedge.exe
2464	msedge.exe
4912	msedge.exe
4912	msedge.exe
3252	identity_helper.exe
3252	identity_helper.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4912	2768	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe	93
PID 2768 wrote to memory of 4912	2768	2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe	93
PID 4912 wrote to memory of 2732	4912	msedge.exe	95
PID 4912 wrote to memory of 2732	4912	msedge.exe	95
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 1300	4912	msedge.exe	96
PID 4912 wrote to memory of 2464	4912	msedge.exe	97
PID 4912 wrote to memory of 2464	4912	msedge.exe	97
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98
PID 4912 wrote to memory of 5100	4912	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_3eca70b0239eb7c8db36531e448fb8c9_ryuk.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
  2⤵
  - Loads dropped DLL
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa54d46f8,0x7ffaa54d4708,0x7ffaa54d4718
    3⤵
    - Loads dropped DLL
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    - Loads dropped DLL
    PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:2116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff718a05460,0x7ff718a05470,0x7ff718a05480
      4⤵
      Loads dropped DLL
      PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:2116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9970791227802698863,1653677285582722545,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

Filesize
3KB

MD5
4f3332a48d767cc5bdfdab755d84a450

SHA1
d7d583c08e82f39637d8209447c2c9cad1478f01

SHA256
a04e8cc0ea5f7e143eba012c2bc470161f1faf9c904eb233f777ced8e6e706ad

SHA512
0f60de7622aa69ae0b209a1ed54ec7ba0f6b81b597565e64d41845bec8c471a768ca8622964260c448530f637492aac31a4fc5ec95de147ef2c0d89149c2a66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa23e5f8e60e61d0ec8fe7b5311c07fc

SHA1
82caad924239c92ada1e74fc5b7c750f8e2e4649

SHA256
1011f60209c39086c59b2d2511572f6c92050e17021da950f674ae3461b11a97

SHA512
199378bc0ccbff19ffbbcde476e2281b77e33fc4422d929da9f5cb28e309777414fe62182795df6e6e3ec5b8dc5a9a818b0e1244f3bff3472d64b24f567f9e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
79aac9b960632145058ec7fcf593555e

SHA1
315e51aa21325b10fc8ecb0461b2eca2b821e07b

SHA256
b8a7d2f05c7a185e1f7405038eda3ce612ec99f128fa6561781f968a4a12786c

SHA512
1ab693e8da488044c79943b1635a41b2bd734a8fedc215b09958107f7c473df07d25b0c64b5fb17f47c100850b274f13d5771a7da3050c9497db8c48f7d98323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
24b180641acf1c016beec9d90fa99a01

SHA1
a72c694e1ca74b0c21d2d0322181738a128415ef

SHA256
2cd122f38df2d597d4b0a788d6ba5682de45d3031a42c49542170b95045788c3

SHA512
30dda21f9e750681a3b1672e78f02b7be7838d8e4539e6097ce9f707b52a82cb55835dafd37bdc49ec9461bdfecf9c7485f15706e111c2ed1d5a1ff0117adf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
4KB

MD5
7b510ec30e137c5d9a7ba2b8b5019290

SHA1
a91173d0fbf023848be0a4eeaba1560ea6c961b6

SHA256
87e6257a26aa32c63525b02c885a310810c4e71b1349b1858f4c4e5b6a60d29c

SHA512
d0395b0dfea200645f1157452f0558d53b54e1c5e6f40d2aaa8a5111ae91cae44d655e8ac5d7e34246aee14fa637f089c4475a755d122301e7e56e17de47e652

Download Submit
C:\Windows\System32\uxtheme.dll

Filesize
614KB

MD5
77b94683930015f413c0479f4f21e8f6

SHA1
e5703d9697da0d23023980847a48eb3e49f22458

SHA256
8080001033997f644aceb6a08c9a8fb445a9e338ec3202fa819936dc71f06367

SHA512
57ca6c40b9c5848fc5aa5e3df73249af41dfb09e3b84309807b6a84385cf7d4324cf831872e42ce456fc1302eccde3aeef8feebb57aa451811540fac25545924

Download Submit
memory/2768-14-0x0000026AF9D10000-0x0000026AF9D15000-memory.dmp

Filesize
20KB

Download
memory/2768-11-0x0000026AF9D10000-0x0000026AF9D15000-memory.dmp

Filesize
20KB

Download
memory/2768-6-0x0000026AFB4F0000-0x0000026AFB4F4000-memory.dmp

Filesize
16KB

Download
memory/2768-4-0x0000026AF9D10000-0x0000026AF9D15000-memory.dmp

Filesize
20KB

Download
memory/2768-0-0x0000026AF9CF0000-0x0000026AF9CF6000-memory.dmp

Filesize
24KB

Download
memory/2768-1-0x0000026AFB4F0000-0x0000026AFB4F4000-memory.dmp

Filesize
16KB

Download