Overview

overview

10

Static

static

a5a8bc4eee...58.exe

windows7_x64

10

a5a8bc4eee...58.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    48s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-05-2021 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe

  • Size

    443KB

  • MD5

    132b243229390d9edfa25566894c5010

  • SHA1

    a040ad72525fea4e93920889dd90395bbe29d5dd

  • SHA256

    a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458

  • SHA512

    fb9876deb950d1e06ace48c024e6cd9aa1722002db606cdbc5e629309dcf4870a836c963d030273a8ffaa29bc8db33c512255e51c92d72f9d9b5420122db2aa2

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe
    "C:\Users\Admin\AppData\Local\Temp\a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\users\Public\HFIto.exe
      "C:\users\Public\HFIto.exe" C:\Users\Admin\AppData\Local\Temp\a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          4⤵
            PID:4136
        • C:\Windows\System32\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4188
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            4⤵
              PID:4416
          • C:\Windows\System32\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:27464
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              4⤵
                PID:27560
            • C:\Windows\System32\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:51072
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                4⤵
                  PID:51232

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\HFIto.exe
            MD5

            b0c22ee43d184abf7f064ef4667e2b3c

            SHA1

            7d2b0dca4878c7012b7d9de9e1bc04185c481d98

            SHA256

            6fc3641a3abbf44493bb1b0fb9568ed6c496ce9f92200a1134b99ff071722515

            SHA512

            9678226d55da76b13061a2ce1138ed3e18ce3f29e716ae8592694b5cb6b9a372d0488ac6695534751bc21d5c015ffa8956143564223e8cd4992194be2b885acf

            Download Submit
          • C:\users\Public\HFIto.exe
            MD5

            b0c22ee43d184abf7f064ef4667e2b3c

            SHA1

            7d2b0dca4878c7012b7d9de9e1bc04185c481d98

            SHA256

            6fc3641a3abbf44493bb1b0fb9568ed6c496ce9f92200a1134b99ff071722515

            SHA512

            9678226d55da76b13061a2ce1138ed3e18ce3f29e716ae8592694b5cb6b9a372d0488ac6695534751bc21d5c015ffa8956143564223e8cd4992194be2b885acf

            Download Submit
          • memory/216-114-0x0000000000000000-mapping.dmp
            Download
          • memory/2168-117-0x0000000000000000-mapping.dmp
            Download
          • memory/4136-118-0x0000000000000000-mapping.dmp
            Download
          • memory/4188-119-0x0000000000000000-mapping.dmp
            Download
          • memory/4416-120-0x0000000000000000-mapping.dmp
            Download
          • memory/27464-121-0x0000000000000000-mapping.dmp
            Download
          • memory/27560-122-0x0000000000000000-mapping.dmp
            Download
          • memory/51072-123-0x0000000000000000-mapping.dmp
            Download
          • memory/51232-124-0x0000000000000000-mapping.dmp
            Download