Overview

overview

10

Static

static

8

0323b4326b...02.exe

windows7_x64

10

0323b4326b...02.exe

windows10_x64

10

0898a80dc2...92.exe

windows7_x64

10

0898a80dc2...92.exe

windows10_x64

10

0aaecf7f77...91.exe

windows7_x64

10

0aaecf7f77...91.exe

windows10_x64

10

150e8ef3f1...02.exe

windows7_x64

10

150e8ef3f1...02.exe

windows10_x64

10

23e95ba676...7f.exe

windows7_x64

10

23e95ba676...7f.exe

windows10_x64

10

28e7dc4aeb...33.exe

windows7_x64

28e7dc4aeb...33.exe

windows10_x64

10

350b0d6ae2...d7.exe

windows7_x64

1

350b0d6ae2...d7.exe

windows10_x64

1

3a6ebac4f8...ca.exe

windows7_x64

10

3a6ebac4f8...ca.exe

windows10_x64

10

3fe801df14...4f.exe

windows7_x64

8

3fe801df14...4f.exe

windows10_x64

8

41367ad447...00.exe

windows7_x64

10

41367ad447...00.exe

windows10_x64

10

48f4749f13...77.exe

windows7_x64

1

48f4749f13...77.exe

windows10_x64

1

499d936c22...82.exe

windows7_x64

10

499d936c22...82.exe

windows10_x64

10

4b5a6926ab...d1.exe

windows7_x64

1

4b5a6926ab...d1.exe

windows10_x64

1

4bb0d8eb6b...81.exe

windows7_x64

10

4bb0d8eb6b...81.exe

windows10_x64

10

5de3d5a337...ed.exe

windows7_x64

10

5de3d5a337...ed.exe

windows10_x64

10

5e2b2fe65d...20.exe

windows7_x64

1

5e2b2fe65d...20.exe

windows10_x64

3

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30-03-2021 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe

  • Size

    143KB

  • MD5

    b77cc8a1ede23a80a4a4c9d0a8b40735

  • SHA1

    254c97abab837687c779b57c7ef1bec4c1e2351a

  • SHA256

    4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581

  • SHA512

    f94546161808210ada027d03465f88336de4f2d24581801566f7ff17a9641b389c43946a98275ed637759a0205b8d09f9028d26bb75ab44e3f7038c5b4667ffd

Score
10/10
ryukpersistenceransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
      PID:3256
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3784
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3488
        • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
          1⤵
            PID:3264
          • c:\windows\system32\taskhostw.exe
            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
            1⤵
              PID:2432
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
              1⤵
                PID:2332
              • c:\windows\system32\sihost.exe
                sihost.exe
                1⤵
                  PID:2324
                • C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
                  "C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe"
                  1⤵
                  • Modifies extensions of user files
                  • Drops startup file
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:644
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe" /f /reg:64
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2932
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe" /f /reg:64
                      3⤵
                      • Adds Run key to start application
                      PID:2728

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads