Analysis

  • max time kernel
    111s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-07-2021 10:37

General

  • Target

    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

  • Size

    147KB

  • MD5

    6c0bb20e1158593211a7cbcbacb3dd83

  • SHA1

    3a74a3aafde31b4f129e515baabe9833bf359f8e

  • SHA256

    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

  • SHA512

    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '2cvCR2CMQ1qi'; $torlink = 'http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
    "C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\AppData\Local\Temp\1073r.exe
      "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:1112
    • C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe
      "C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe
      "C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2164
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:1528
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:1656
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
        PID:4520
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          3⤵
            PID:4588
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
            PID:708
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:1108
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
                PID:2312
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:5004
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop "samss" /y
                  2⤵
                    PID:5064
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      3⤵
                        PID:2892

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\$Recycle.Bin\RyukReadMe.html

                    MD5

                    5a4a329d7f65448ea0755e462ddd218d

                    SHA1

                    fac326074433e0dcc2b684f1cab9e8b674f9b0cf

                    SHA256

                    1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

                    SHA512

                    63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

                  • C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\RyukReadMe.html

                    MD5

                    5a4a329d7f65448ea0755e462ddd218d

                    SHA1

                    fac326074433e0dcc2b684f1cab9e8b674f9b0cf

                    SHA256

                    1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

                    SHA512

                    63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

                  • C:\BOOTSECT.BAK.RYK

                    MD5

                    649ca1bc4bb02c6e15c34c1361b2f417

                    SHA1

                    764f90bf5edcb6042288557ac0bcdf755063282b

                    SHA256

                    651fe411eb23d012ea07629665c3b3f0431f231ccda36327d9f70150df7b070c

                    SHA512

                    6c4635a4b9e6eaf1a4646e40924980fc65b9ce52fd16657182957f2158e893a32ac32a00a2971b84d325e3b410433f2b370bb4d09ea4774a449db65aa913ae40

                  • C:\Boot\BOOTSTAT.DAT.RYK

                    MD5

                    83c922e0143433395b29410e0abcc29d

                    SHA1

                    be50a99328cfaaa5b17ed2c3d812696d0f60b0c8

                    SHA256

                    c25f68714c88eaf9d0c68df486e69ffc184d8ddd1f2847cfb1a97a214571206e

                    SHA512

                    b0e84d26244a8b43fb70a11bc893fcc2878fa8fbe6a527507efde4412f9155ae373a871a591d404a881305e23cad148dfe7728ebc1f494a3de729e906e05c70e

                  • C:\PerfLogs\RyukReadMe.html

                    MD5

                    5a4a329d7f65448ea0755e462ddd218d

                    SHA1

                    fac326074433e0dcc2b684f1cab9e8b674f9b0cf

                    SHA256

                    1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

                    SHA512

                    63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

                  • C:\RyukReadMe.html

                    MD5

                    5a4a329d7f65448ea0755e462ddd218d

                    SHA1

                    fac326074433e0dcc2b684f1cab9e8b674f9b0cf

                    SHA256

                    1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

                    SHA512

                    63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

                  • C:\Users\Admin\AppData\Local\Temp\1073r.exe

                    MD5

                    6c0bb20e1158593211a7cbcbacb3dd83

                    SHA1

                    3a74a3aafde31b4f129e515baabe9833bf359f8e

                    SHA256

                    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

                    SHA512

                    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

                  • C:\Users\Admin\AppData\Local\Temp\1073r.exe

                    MD5

                    6c0bb20e1158593211a7cbcbacb3dd83

                    SHA1

                    3a74a3aafde31b4f129e515baabe9833bf359f8e

                    SHA256

                    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

                    SHA512

                    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

                  • C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe

                    MD5

                    6c0bb20e1158593211a7cbcbacb3dd83

                    SHA1

                    3a74a3aafde31b4f129e515baabe9833bf359f8e

                    SHA256

                    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

                    SHA512

                    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

                  • C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe

                    MD5

                    6c0bb20e1158593211a7cbcbacb3dd83

                    SHA1

                    3a74a3aafde31b4f129e515baabe9833bf359f8e

                    SHA256

                    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

                    SHA512

                    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

                  • C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe

                    MD5

                    6c0bb20e1158593211a7cbcbacb3dd83

                    SHA1

                    3a74a3aafde31b4f129e515baabe9833bf359f8e

                    SHA256

                    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

                    SHA512

                    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

                  • C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe

                    MD5

                    6c0bb20e1158593211a7cbcbacb3dd83

                    SHA1

                    3a74a3aafde31b4f129e515baabe9833bf359f8e

                    SHA256

                    b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

                    SHA512

                    7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

                  • C:\Users\RyukReadMe.html

                    MD5

                    5a4a329d7f65448ea0755e462ddd218d

                    SHA1

                    fac326074433e0dcc2b684f1cab9e8b674f9b0cf

                    SHA256

                    1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

                    SHA512

                    63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

                  • C:\odt\RyukReadMe.html

                    MD5

                    5a4a329d7f65448ea0755e462ddd218d

                    SHA1

                    fac326074433e0dcc2b684f1cab9e8b674f9b0cf

                    SHA256

                    1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

                    SHA512

                    63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

                  • C:\odt\config.xml.RYK

                    MD5

                    3cf5fb153f995486e8388ed71d1d9fa8

                    SHA1

                    5781584813c2a99e72e68f1c2ccdf8a8068904c8

                    SHA256

                    71f5c5644df6f49f416d6d5342ffcdb297a6d23d901ad1a3826134bf9f3bc9a3

                    SHA512

                    398a79ecce9d2435bed31bde7c6710a62b2fdb24139a78730e5fd3269a9f03bf4983049cc52b6c0b91302ae8ead1c5ad506540cd9c70bfd36cbcd16514601a20

                  • memory/708-131-0x0000000000000000-mapping.dmp

                  • memory/804-117-0x0000000000000000-mapping.dmp

                  • memory/1108-137-0x0000000000000000-mapping.dmp

                  • memory/1112-114-0x0000000000000000-mapping.dmp

                  • memory/1528-123-0x0000000000000000-mapping.dmp

                  • memory/1656-124-0x0000000000000000-mapping.dmp

                  • memory/2164-120-0x0000000000000000-mapping.dmp

                  • memory/2312-132-0x0000000000000000-mapping.dmp

                  • memory/2892-138-0x0000000000000000-mapping.dmp

                  • memory/4520-130-0x0000000000000000-mapping.dmp

                  • memory/4588-135-0x0000000000000000-mapping.dmp

                  • memory/5004-136-0x0000000000000000-mapping.dmp

                  • memory/5064-133-0x0000000000000000-mapping.dmp