Analysis
-
max time kernel
176s -
max time network
37s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-02-2022 08:30
General
-
Target
094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe
-
Size
170KB
-
MD5
00f926cd4948652e3a80c3994e4ec8be
-
SHA1
61bf4f8d8f9826b70bf730d4f84a584ee199325f
-
SHA256
094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c
-
SHA512
d53edde17520f1512aa84dc1bf9d93c456c9cd037edb69c7f34dbbb4d9cad6a952b3a883c518ae70959b7285c930bd7b96b4939156e3e996ce2fad1a8d3fb51b
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
[email protected]
or
[email protected]
BTC wallet:
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Ryuk
No system is safe
Wallets
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe"C:\Users\Admin\AppData\Local\Temp\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe" /f3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/676-60-0x000000013F840000-0x000000013FBCE000-memory.dmpFilesize
3.6MB
-
memory/1144-55-0x000000013F840000-0x000000013FBCE000-memory.dmpFilesize
3.6MB
-
memory/1144-56-0x000000013F840000-0x000000013FBCE000-memory.dmpFilesize
3.6MB
-
memory/1236-59-0x000000013F840000-0x000000013FBCE000-memory.dmpFilesize
3.6MB
-
memory/1364-54-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB