Analysis

  • max time kernel
    159s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:18

General

  • Target

    b02617d6947e1ef032caac0a8ecd545506723e811748d8d3eaf4f57f2848dcce.exe

  • Size

    114KB

  • MD5

    93fb851a430ba2d09281cc7a20173f4a

  • SHA1

    67a87885d9830a35ca1cb29bc8de28590c12897d

  • SHA256

    b02617d6947e1ef032caac0a8ecd545506723e811748d8d3eaf4f57f2848dcce

  • SHA512

    bbdbf6278ed9dde34d105f12b0ef298c23e3b68172fefd4dd50a451dae380f43d058e0546423044cb621bb6d3a0d60c25fd41f776efa5f53e4c9e0b11462f763

Score
10/10

Malware Config

Extracted

Path

C:\us6u8pd-readme.txt

Family

ryuk

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension us6u8pd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. I suggest you read about us on the Internet, we are known as "Sodinokibi Ransomware". For example, this article: https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread Pay attention to that: "How Much Data Is Decrypted with a Ransomware Decryptor? In Q2 2019, victims who paid for a decryptor recovered 92% of their encrypted data. This statistic varied dramatically depending on the ransomware type. For example, Ryuk ransomware has a relatively low data recovery rate, at ~ 87%, while Sodinokibi was close to 100%. " Now you have a guarantee that your files will be returned 100 %. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F4C37040BEDC255D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F4C37040BEDC255D Warning: secondary website can be blocked, thats why first variant much better and more available. If you have problem with connect, use strictly TOR version 8.5.5 link for download TOR version 8.5.5 here: https://filehippo.com/download_tor_browser_for_windows/ When you open our website, put the following data in the input form: Key: h7b4HL6aB9DIJFRGbProHnMsbIfJYkZmnRqv67cJvU1q0pupyAHzME+Ro2Y/oYOQ dpQu5EbkUOttTH53AvdlBz/1N77ygjVCpOX/UjtO0kXkVJcu4+ngU0LC3rKe1/AP rL92pELfXxDaACeDww7pg6v+5h9y+x5MIhF1bSTrIItBGIT5in1FBVZtHuH1oNKE foQGnQ7yS668Kfi2nk/8Sp5A0RX/SnanZkk5M0s1MNyDQby6LhMN/T7QbY92//+c c+rTx2yI/Jj4Yhlq3SMTs6lAkwakagM/eaSSVUCw/unAo0xjDJt39V8pQLru54iE ijVA4qvUFDBnWSOLGKYIcaFVgtULrSrTkqBk2yjJhleThQekhC56vpw1SlGS47e0 FFQHYo5PaO7EZMRMCkFu9voJ4Cmxv8AcHyQDgDP+tyctNipj2z6FhQrKdxgts3rr hcUmy2/dgP/C8MR1jwKibAfbwrKy+qys/xjpbxGpC3wE19TKS690cKvkaV3n/pPF vDZ5+u45o/j7SnJLIQbFbTrkvaxmmUgUAEo6Z9jykJ8j4BcNVdtLDciei6m4Ed6O tuYsIeJ8Ft+KtOarD1Cccw1iY/XFg5EjJyBBxu7/+LK/e+SxGlvSDDluSBPT3Q0P ibKeguRbKS2ozc33mc1AzdlUaA6pT5teErUeRDJe9whhVC2nezgJqp8h8cInrG21 1Se2yWI6xz/gCoN3bX3dxM8dkv3XpHsIuSSW4T0BXnSRHXpAsdQSYA+ZS7MWuPAK bOMpGdwsapxsR/sbm9jfrgA8p24Jf9qtxshjdsukv1yq64rNX9hEBuL/nS22eeK1 fdVbM/m/w5yIEkehmxuNYQNsgNRvyy0CK6GG8d8ZYGxiCtVnuBfN4PUEnDHaUZs9 PcJodr9lriVRVctyZHPNrtDoYcQpcIxBpQQJUxkAcolV3U+CBMZimvjyhq9hl6Rc PQyZYbEYB6hRzKxxgNZoibTvhcuj4wZImE7i3hc2gbwZrihAA745M/CNw2bewaJ6 bms93TRoYoHWb4kHbQ3os7xkZjw7Ot6XVhmhIhWwMYYTcqZCNxPP1BIRcMphTocf bro1YGD1BwUrNQtLcKXlAGjn9ftfxYaDwgN7dbSNfGGXs+wcEX+0OTD9ZxSH+l8w x9b06+ooxns86z7q0EyycIlt+m/BYdWBhakn5Cf/ruOWzXhwq970NfU/L9yW7uwu Q1gXOGGGBwciGQ9MPnVVNdCMxunzfKxx4c7yn1VeSa5Kc0cnneRKTZ0qttpyJzJg Fg/vZXr5wh34+WYpxFafu0GV Extension name: us6u8pd ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F4C37040BEDC255D

http://decryptor.cc/F4C37040BEDC255D

https://filehippo.com/download_tor_browser_for_windows/

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b02617d6947e1ef032caac0a8ecd545506723e811748d8d3eaf4f57f2848dcce.exe
    "C:\Users\Admin\AppData\Local\Temp\b02617d6947e1ef032caac0a8ecd545506723e811748d8d3eaf4f57f2848dcce.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3764
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:656
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3764-119-0x00000229F8870000-0x00000229F8920000-memory.dmp

      Filesize

      704KB

    • memory/3764-121-0x00000229F8F90000-0x00000229F8FB2000-memory.dmp

      Filesize

      136KB

    • memory/3764-120-0x00000229F8870000-0x00000229F8920000-memory.dmp

      Filesize

      704KB

    • memory/3764-124-0x00000229F9140000-0x00000229F91B6000-memory.dmp

      Filesize

      472KB