Overview

overview

10

Static

static

06a7b97d28...f4.exe

windows7_x64

1

06a7b97d28...f4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    190s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-02-2022 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06a7b97d2800561df9435bf60de8e261ac8f9079b588aa1d83347e52f7a7c5f4.exe

  • Size

    193KB

  • MD5

    95fd26f6908ef7a718a4392c5c91e2c7

  • SHA1

    31d98aeca3e2d27a2882fc65fba78e31e7aaee0f

  • SHA256

    06a7b97d2800561df9435bf60de8e261ac8f9079b588aa1d83347e52f7a7c5f4

  • SHA512

    08679e973186546c87163fd93179f341a4de4f8241d937c42e4524fc1eb63e9f9f0d3381368226716fb927ea59df7975ec69b0b029038ac5eadcfdd1d001ca73

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] [email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06a7b97d2800561df9435bf60de8e261ac8f9079b588aa1d83347e52f7a7c5f4.exe
    "C:\Users\Admin\AppData\Local\Temp\06a7b97d2800561df9435bf60de8e261ac8f9079b588aa1d83347e52f7a7c5f4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\PhaPDxf.exe
      "C:\Users\Admin\AppData\Local\Temp\PhaPDxf.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          4⤵
            PID:3036
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            4⤵
              PID:4100
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
            3⤵
              PID:3880
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2504
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:4108
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:832
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                3⤵
                  PID:3964
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:648
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:4116
              • C:\Windows\system32\MusNotifyIcon.exe
                %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                1⤵
                • Checks processor information in registry
                PID:3028
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k NetworkService -p
                1⤵
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                PID:2704

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
                MD5

                93a5aadeec082ffc1bca5aa27af70f52

                SHA1

                47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

                SHA256

                a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

                SHA512

                df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\PhaPDxf.exe
                MD5

                95fd26f6908ef7a718a4392c5c91e2c7

                SHA1

                31d98aeca3e2d27a2882fc65fba78e31e7aaee0f

                SHA256

                06a7b97d2800561df9435bf60de8e261ac8f9079b588aa1d83347e52f7a7c5f4

                SHA512

                08679e973186546c87163fd93179f341a4de4f8241d937c42e4524fc1eb63e9f9f0d3381368226716fb927ea59df7975ec69b0b029038ac5eadcfdd1d001ca73

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\PhaPDxf.exe
                MD5

                95fd26f6908ef7a718a4392c5c91e2c7

                SHA1

                31d98aeca3e2d27a2882fc65fba78e31e7aaee0f

                SHA256

                06a7b97d2800561df9435bf60de8e261ac8f9079b588aa1d83347e52f7a7c5f4

                SHA512

                08679e973186546c87163fd93179f341a4de4f8241d937c42e4524fc1eb63e9f9f0d3381368226716fb927ea59df7975ec69b0b029038ac5eadcfdd1d001ca73

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
                MD5

                be46918f25b1aa58c459770d493a5b68

                SHA1

                daf0a7ac0dc43646b8da0bdc775e78287820fed5

                SHA256

                c34a56230ecb6d340795fed9f38c34e43b1faed0770bfa852ae5b1129883dec9

                SHA512

                89ae71f3058537ee1c67d4a2b1820584fe5c4698df81e6c4f9e62c638cb96e95c9c2424d1bf62b7f42cac5ebb5af507ca70aca66676ae4765864191914473342

                Download Submit