Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-07-2021 10:36
Static task
static1
Behavioral task
behavioral1
Sample
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe
-
Size
131KB
-
MD5
a5e03a5150537126dffcf2391dfab934
-
SHA1
9a2155e3b5471ca8321e8c74edb277c9a8e756e0
-
SHA256
09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54
-
SHA512
a9e69f88ff83e6a6d15756c47bdcdc6b7af5947630e0d8e886c2d66c3c2cb4ce33c792a9475ba5d7c2bc3ab13cc25172ff10f51a9fa2852d6a6528fd4edc99f9
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = 'mnEoEqW'; $torlink = 'http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2764 icacls.exe 3236 icacls.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\T: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\S: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\R: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\O: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\N: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\F: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\Z: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\V: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\U: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\Q: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\M: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\X: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\P: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\K: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\H: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\G: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\Y: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\W: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\L: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\J: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened (read-only) \??\I: 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\History.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Internet Explorer\images\bing.ico 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\RyukReadMe.html 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 624 wrote to memory of 3236 624 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 78 PID 624 wrote to memory of 3236 624 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 78 PID 624 wrote to memory of 3236 624 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 78 PID 624 wrote to memory of 2764 624 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 79 PID 624 wrote to memory of 2764 624 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 79 PID 624 wrote to memory of 2764 624 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe"C:\Users\Admin\AppData\Local\Temp\09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3236
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2764
-