Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-03-2021 04:36
Static task
static1
Behavioral task
behavioral1
Sample
xxx.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
xxx.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
xxx.exe
-
Size
212KB
-
MD5
af9754aa7c14005973189c09494b50af
-
SHA1
fd4b1bdbbfc7fe46bfe3d2205641c441f796a03d
-
SHA256
30aa50598d3a153d842f3861f66cd1a8ee754f850ee2429aa739975536b5be3a
-
SHA512
c6fdd0b930e573d4b3d94232e2ca624c6d21bff572d237e6f3abd9d26ee0e6eb4db0e9bd1384a5961a5da6fc44d81026534a139696b3ae6688705fa52471f887
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'ky0SRjh'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 3032 EyseAKMcFrep.exe 4072 aqOJJEQkYlan.exe 380 whMwUmFAklan.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4532 icacls.exe 4496 icacls.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: xxx.exe File opened (read-only) \??\S: xxx.exe File opened (read-only) \??\O: xxx.exe File opened (read-only) \??\N: xxx.exe File opened (read-only) \??\R: xxx.exe File opened (read-only) \??\L: xxx.exe File opened (read-only) \??\K: xxx.exe File opened (read-only) \??\J: xxx.exe File opened (read-only) \??\Z: xxx.exe File opened (read-only) \??\Y: xxx.exe File opened (read-only) \??\X: xxx.exe File opened (read-only) \??\U: xxx.exe File opened (read-only) \??\H: xxx.exe File opened (read-only) \??\G: xxx.exe File opened (read-only) \??\F: xxx.exe File opened (read-only) \??\E: xxx.exe File opened (read-only) \??\V: xxx.exe File opened (read-only) \??\P: xxx.exe File opened (read-only) \??\I: xxx.exe File opened (read-only) \??\T: xxx.exe File opened (read-only) \??\Q: xxx.exe File opened (read-only) \??\M: xxx.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt xxx.exe File opened for modification C:\Program Files\Common Files\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt xxx.exe File opened for modification C:\Program Files\7-Zip\7z.sfx xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt xxx.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\History.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt xxx.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt xxx.exe File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt xxx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4768 xxx.exe 4768 xxx.exe 4768 xxx.exe 4768 xxx.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4768 wrote to memory of 3032 4768 xxx.exe 79 PID 4768 wrote to memory of 3032 4768 xxx.exe 79 PID 4768 wrote to memory of 3032 4768 xxx.exe 79 PID 4768 wrote to memory of 4072 4768 xxx.exe 80 PID 4768 wrote to memory of 4072 4768 xxx.exe 80 PID 4768 wrote to memory of 4072 4768 xxx.exe 80 PID 4768 wrote to memory of 380 4768 xxx.exe 81 PID 4768 wrote to memory of 380 4768 xxx.exe 81 PID 4768 wrote to memory of 380 4768 xxx.exe 81 PID 4768 wrote to memory of 4532 4768 xxx.exe 82 PID 4768 wrote to memory of 4532 4768 xxx.exe 82 PID 4768 wrote to memory of 4532 4768 xxx.exe 82 PID 4768 wrote to memory of 4496 4768 xxx.exe 83 PID 4768 wrote to memory of 4496 4768 xxx.exe 83 PID 4768 wrote to memory of 4496 4768 xxx.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxx.exe"C:\Users\Admin\AppData\Local\Temp\xxx.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\EyseAKMcFrep.exe"C:\Users\Admin\AppData\Local\Temp\EyseAKMcFrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\aqOJJEQkYlan.exe"C:\Users\Admin\AppData\Local\Temp\aqOJJEQkYlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\whMwUmFAklan.exe"C:\Users\Admin\AppData\Local\Temp\whMwUmFAklan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:380
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4532
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4496
-