Analysis
-
max time kernel
150s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 11:45
Static task
static1
Behavioral task
behavioral1
Sample
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
-
Size
575KB
-
MD5
6cad2f7dc809b9353a31753a438aef4e
-
SHA1
459d816bb020f5da8257076a36d0ffd1f1f02d76
-
SHA256
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
-
SHA512
a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8
Score
10/10
Malware Config
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 880 icacls.exe 1236 icacls.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 296 wrote to memory of 1236 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 29 PID 296 wrote to memory of 1236 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 29 PID 296 wrote to memory of 1236 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 29 PID 296 wrote to memory of 1236 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 29 PID 296 wrote to memory of 880 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 30 PID 296 wrote to memory of 880 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 30 PID 296 wrote to memory of 880 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 30 PID 296 wrote to memory of 880 296 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1236
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:880
-