Analysis
-
max time kernel
119s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-04-2021 20:03
Static task
static1
Behavioral task
behavioral1
Sample
bPQDRgviZlan.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bPQDRgviZlan.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
bPQDRgviZlan.exe
-
Size
136KB
-
MD5
45295780f2ba837be42ccf50710bd2b5
-
SHA1
f937b1b7b3593a38702f870077658a891974edda
-
SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025
-
SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'spyZ3Hxws'; $torlink = 'http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 2860 gqEHORbhbrep.exe 3560 lwgILUpJClan.exe 3008 rzOVxfjOtlan.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1556 icacls.exe 1544 icacls.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: bPQDRgviZlan.exe File opened (read-only) \??\F: bPQDRgviZlan.exe File opened (read-only) \??\E: bPQDRgviZlan.exe File opened (read-only) \??\Z: bPQDRgviZlan.exe File opened (read-only) \??\Y: bPQDRgviZlan.exe File opened (read-only) \??\X: bPQDRgviZlan.exe File opened (read-only) \??\S: bPQDRgviZlan.exe File opened (read-only) \??\Q: bPQDRgviZlan.exe File opened (read-only) \??\N: bPQDRgviZlan.exe File opened (read-only) \??\I: bPQDRgviZlan.exe File opened (read-only) \??\V: bPQDRgviZlan.exe File opened (read-only) \??\U: bPQDRgviZlan.exe File opened (read-only) \??\T: bPQDRgviZlan.exe File opened (read-only) \??\M: bPQDRgviZlan.exe File opened (read-only) \??\L: bPQDRgviZlan.exe File opened (read-only) \??\K: bPQDRgviZlan.exe File opened (read-only) \??\J: bPQDRgviZlan.exe File opened (read-only) \??\H: bPQDRgviZlan.exe File opened (read-only) \??\W: bPQDRgviZlan.exe File opened (read-only) \??\R: bPQDRgviZlan.exe File opened (read-only) \??\O: bPQDRgviZlan.exe File opened (read-only) \??\G: bPQDRgviZlan.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\descript.ion bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\EnterRequest.xltx bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.rll bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html bPQDRgviZlan.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RyukReadMe.html bPQDRgviZlan.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui bPQDRgviZlan.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui bPQDRgviZlan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3976 bPQDRgviZlan.exe 3976 bPQDRgviZlan.exe 3976 bPQDRgviZlan.exe 3976 bPQDRgviZlan.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3976 wrote to memory of 2860 3976 bPQDRgviZlan.exe 78 PID 3976 wrote to memory of 2860 3976 bPQDRgviZlan.exe 78 PID 3976 wrote to memory of 2860 3976 bPQDRgviZlan.exe 78 PID 3976 wrote to memory of 3560 3976 bPQDRgviZlan.exe 79 PID 3976 wrote to memory of 3560 3976 bPQDRgviZlan.exe 79 PID 3976 wrote to memory of 3560 3976 bPQDRgviZlan.exe 79 PID 3976 wrote to memory of 3008 3976 bPQDRgviZlan.exe 80 PID 3976 wrote to memory of 3008 3976 bPQDRgviZlan.exe 80 PID 3976 wrote to memory of 3008 3976 bPQDRgviZlan.exe 80 PID 3976 wrote to memory of 1556 3976 bPQDRgviZlan.exe 81 PID 3976 wrote to memory of 1556 3976 bPQDRgviZlan.exe 81 PID 3976 wrote to memory of 1556 3976 bPQDRgviZlan.exe 81 PID 3976 wrote to memory of 1544 3976 bPQDRgviZlan.exe 82 PID 3976 wrote to memory of 1544 3976 bPQDRgviZlan.exe 82 PID 3976 wrote to memory of 1544 3976 bPQDRgviZlan.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe"C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\gqEHORbhbrep.exe"C:\Users\Admin\AppData\Local\Temp\gqEHORbhbrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\lwgILUpJClan.exe"C:\Users\Admin\AppData\Local\Temp\lwgILUpJClan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:3560
-
-
C:\Users\Admin\AppData\Local\Temp\rzOVxfjOtlan.exe"C:\Users\Admin\AppData\Local\Temp\rzOVxfjOtlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1556
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1544
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:4436
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:364
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:1408
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4324
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:4152
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4360
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:1716
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4024
-
-