Overview

overview

10

Static

static

xxx.exe

windows7_x64

8

xxx.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29-03-2021 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xxx.exe

  • Size

    212KB

  • MD5

    af9754aa7c14005973189c09494b50af

  • SHA1

    fd4b1bdbbfc7fe46bfe3d2205641c441f796a03d

  • SHA256

    30aa50598d3a153d842f3861f66cd1a8ee754f850ee2429aa739975536b5be3a

  • SHA512

    c6fdd0b930e573d4b3d94232e2ca624c6d21bff572d237e6f3abd9d26ee0e6eb4db0e9bd1384a5961a5da6fc44d81026534a139696b3ae6688705fa52471f887

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'ky0SRjh'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Users\Admin\AppData\Local\Temp\zWrFCrSjTrep.exe
      "C:\Users\Admin\AppData\Local\Temp\zWrFCrSjTrep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Users\Admin\AppData\Local\Temp\egsmJFiiwlan.exe
      "C:\Users\Admin\AppData\Local\Temp\egsmJFiiwlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:3844
    • C:\Users\Admin\AppData\Local\Temp\UDufVTXsnlan.exe
      "C:\Users\Admin\AppData\Local\Temp\UDufVTXsnlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:3344
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:2068
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:3744

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2680-8-0x00000000021C0000-0x00000000021C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-20-0x0000000002140000-0x0000000002141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3844-14-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-2-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-24-0x0000000003780000-0x0000000003781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-23-0x0000000002F80000-0x0000000002F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-3-0x00000000005A0000-0x00000000005C4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4048-4-0x0000000035000000-0x000000003502D000-memory.dmp

    Filesize

    180KB

    Download