Overview

overview

10

Static

static

1455091954...le.exe

windows7_x64

10

1455091954...le.exe

windows10_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-07-2021 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe

  • Size

    159KB

  • MD5

    cb0c1248d3899358a375888bb4e8f3fe

  • SHA1

    b72e75e9e901a44b655a5cf89cf0eadcaff46037

  • SHA256

    1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

  • SHA512

    298668596ab422c93ebedf41bc5751941c2646df5bfaf7f374beb207bf38fa6d223186984d71ef25b2c21e068870c9c5cf11626b99350f8799fb0ebaca4a4cee

Score
10/10
ryukpersistenceransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at StevKramer@protonmail.com or StevKramer@tutanota.com BTC wallet: 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp Ryuk
Emails

StevKramer@protonmail.com

StevKramer@tutanota.com
Wallets

1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    1⤵
      PID:2484
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
        PID:3372
      • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
        1⤵
          PID:3384
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3584
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:3872
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3872 -s 836
                2⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3564
            • c:\windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2756
              • c:\windows\system32\sihost.exe
                sihost.exe
                1⤵
                • Modifies extensions of user files
                • Drops startup file
                • Drops file in Program Files directory
                PID:2464
              • C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
                "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe"
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1828
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3940
                  • C:\Windows\system32\reg.exe
                    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" /f
                    3⤵
                    • Adds Run key to start application
                    PID:3464
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                1⤵
                  PID:1872

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2464-116-0x00007FF70FC40000-0x00007FF70FFCB000-memory.dmp
                  Filesize

                  3.5MB

                  Download
                • memory/3464-115-0x0000000000000000-mapping.dmp
                  Download
                • memory/3940-114-0x0000000000000000-mapping.dmp
                  Download