Analysis
-
max time kernel
127s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-07-2021 10:36
Static task
static1
Behavioral task
behavioral1
Sample
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe
-
Size
131KB
-
MD5
a5e03a5150537126dffcf2391dfab934
-
SHA1
9a2155e3b5471ca8321e8c74edb277c9a8e756e0
-
SHA256
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54
-
SHA512
a9e69f88ff83e6a6d15756c47bdcdc6b7af5947630e0d8e886c2d66c3c2cb4ce33c792a9475ba5d7c2bc3ab13cc25172ff10f51a9fa2852d6a6528fd4edc99f9
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'mnEoEqW'; $torlink = 'http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1584 icacls.exe 1660 icacls.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\G: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\F: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\X: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\W: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\U: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\Q: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\K: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\E: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\V: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\P: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\L: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\I: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\H: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\J: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\Z: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\Y: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\T: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\S: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\O: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\N: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\M: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\readme.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\License.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\ClearPublish.zip 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\History.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1584 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 29 PID 1088 wrote to memory of 1584 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 29 PID 1088 wrote to memory of 1584 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 29 PID 1088 wrote to memory of 1584 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 29 PID 1088 wrote to memory of 1660 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 30 PID 1088 wrote to memory of 1660 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 30 PID 1088 wrote to memory of 1660 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 30 PID 1088 wrote to memory of 1660 1088 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe"C:\Users\Admin\AppData\Local\Temp\09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1584
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1660
-