Rig EK at Drops CryptMIC Ransomware

IOCs: – 101beautytricks.com – Compromised Site – dissect.theawesomestmusic.com – Rig EK – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear)





  1. SHA256: 101504d805174416b51f601dfb5ab626e8eea9504306a36bf5bb3ad2f8d30230
    File name: RigEK Landing Page.html
  2. SHA256: a09f4f8ab6d93995398320c9406a3502fee8d6116f0e7a8bf1b1c030dec555ff
    File name: RigEK Flash Exploit.swf
  3. SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
    File name: IIj6sFosp
  4. SHA256: aed87c57ed65adfaba258d48bbad1f9d2f9bc2f0e404b3badff246b504bae8dc
    File name: rad8035D.tmp.exe

Infection Chain:

This was another typical Rig EK to CryptMIC infection chain that started with the script being injected into the compromised website:


The script then redirects the host to the landing page which then causes the host to make a GET request for the Flash exploit. Lastly, there is a GET request for the payload. Below are all three request from the host and responses from the server:


As usual there is a .tmp.exe dropped into %TEMP% and ransom notes dropped in various folders and on the Desktop. Again, the .exe is masquerading as NirCmd.exe which is a legitimate command-line utility for Windows.



This is the second IP in the subnet that had been used by Rig EK today. It might be a good idea to flag HTTP traffic to this subnet. I would block any IPs within this subnet that are resolving to EK subdomains.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: