Overview

overview

10

Static

static

data.exe

windows10_x64

10

Analysis

  • max time kernel
    558s
  • max time network
    712s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data.exe

  • Size

    139KB

  • MD5

    8555b213260ba5eda4bf37652cecb431

  • SHA1

    80bd92b996fce311b52aa791a8ace4b20f8fb7ab

  • SHA256

    781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

  • SHA512

    0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\data.exe
    "C:\Users\Admin\AppData\Local\Temp\data.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Local\Temp\uYqbbdGJRrep.exe
      "C:\Users\Admin\AppData\Local\Temp\uYqbbdGJRrep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:4020
    • C:\Users\Admin\AppData\Local\Temp\BYPekEqVilan.exe
      "C:\Users\Admin\AppData\Local\Temp\BYPekEqVilan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2092
    • C:\Users\Admin\AppData\Local\Temp\nMTATJWcmlan.exe
      "C:\Users\Admin\AppData\Local\Temp\nMTATJWcmlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:1932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 11816
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:174752
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:2124
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:2160
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
          PID:3952
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          3⤵
            PID:1528
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            3⤵
              PID:2712
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:60
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              3⤵
                PID:2320
            • C:\Windows\SysWOW64\SCHTASKS.exe
              SCHTASKS /CREATE /NP /SC DAILY /TN "PrintBM" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\hYY0I.dll" /ST 10:25 /SD 10/16/2021 /ED 10/23/2021
              2⤵
              • Creates scheduled task(s)
              PID:2712
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:15256
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                3⤵
                  PID:15232
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:15292
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:15252
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 57616
                  2⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:96096
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                1⤵
                  PID:1332
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SDRSVC
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2780
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                  1⤵
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:182748
                • C:\Windows\system32\browser_broker.exe
                  C:\Windows\system32\browser_broker.exe -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  PID:182804
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:182584
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  PID:182552
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:6952
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    2⤵
                    • Checks processor information in registry
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:17936
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.0.433345678\1333152240" -parentBuildID 20200403170909 -prefsHandle 1472 -prefMapHandle 1464 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 1596 gpu
                      3⤵
                        PID:15192
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.3.1503705078\586818802" -childID 1 -isForBrowser -prefsHandle 2160 -prefMapHandle 1460 -prefsLen 122 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 2172 tab
                        3⤵
                          PID:16712
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.13.189712722\1476030173" -childID 2 -isForBrowser -prefsHandle 3268 -prefMapHandle 3216 -prefsLen 6979 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 3276 tab
                          3⤵
                            PID:34732
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.20.440649834\1706159610" -childID 3 -isForBrowser -prefsHandle 4608 -prefMapHandle 4548 -prefsLen 7985 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 4492 tab
                            3⤵
                              PID:57472
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.27.1557691482\379902066" -childID 4 -isForBrowser -prefsHandle 3524 -prefMapHandle 4120 -prefsLen 8808 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 4072 tab
                              3⤵
                                PID:203568
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.34.1387846808\1011200256" -childID 5 -isForBrowser -prefsHandle 3068 -prefMapHandle 4784 -prefsLen 8817 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 3056 tab
                                3⤵
                                  PID:203356
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                              1⤵
                              • Drops file in Windows directory
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:197988
                            • C:\Windows\system32\browser_broker.exe
                              C:\Windows\system32\browser_broker.exe -Embedding
                              1⤵
                              • Modifies Internet Explorer settings
                              PID:198048
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies registry class
                              • Suspicious behavior: MapViewOfSection
                              • Suspicious use of SetWindowsHookEx
                              PID:199164
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Drops file in Windows directory
                              • Modifies registry class
                              PID:199256

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/197988-197-0x000001793B020000-0x000001793B030000-memory.dmp

                              Filesize

                              64KB

                              Download