Overview

overview

10

Static

static

b42d07f0b7...f9.exe

windows7_x64

10

b42d07f0b7...f9.exe

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-07-2021 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

  • Size

    147KB

  • MD5

    6c0bb20e1158593211a7cbcbacb3dd83

  • SHA1

    3a74a3aafde31b4f129e515baabe9833bf359f8e

  • SHA256

    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

  • SHA512

    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '2cvCR2CMQ1qi'; $torlink = 'http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
    "C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\AppData\Local\Temp\1073r.exe
      "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:1112
    • C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe
      "C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe
      "C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2164
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:1528
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:1656
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
        PID:4520
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          3⤵
            PID:4588
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
            PID:708
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:1108
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
                PID:2312
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:5004
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop "samss" /y
                  2⤵
                    PID:5064
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      3⤵
                        PID:2892

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads