Analysis
-
max time kernel
164s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 00:48
General
-
Target
e99e1b24c8e93ac03721a34f2e2ecfffb11ff247d8a2bdb8c0234e41a122be39.exe
-
Size
170KB
-
MD5
b8ebb6a557b474929505f647ebce05d6
-
SHA1
8b45c835225766c631224fb5c49259fcc12d898f
-
SHA256
e99e1b24c8e93ac03721a34f2e2ecfffb11ff247d8a2bdb8c0234e41a122be39
-
SHA512
aa9ee807e94763911cccbf456aa98fb230dfd6fc5ab08e5384b5c018478fcfb8063b4632e937a194777104e76deb113508ec44533fe6d122f8d2b3306b7515fa
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
[email protected]
or
[email protected]
BTC wallet:
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Ryuk
No system is safe
Wallets
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\e99e1b24c8e93ac03721a34f2e2ecfffb11ff247d8a2bdb8c0234e41a122be39.exe"C:\Users\Admin\AppData\Local\Temp\e99e1b24c8e93ac03721a34f2e2ecfffb11ff247d8a2bdb8c0234e41a122be39.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e99e1b24c8e93ac03721a34f2e2ecfffb11ff247d8a2bdb8c0234e41a122be39.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e99e1b24c8e93ac03721a34f2e2ecfffb11ff247d8a2bdb8c0234e41a122be39.exe" /f3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-60-0x000000013F920000-0x000000013FCAE000-memory.dmpFilesize
3.6MB
-
memory/956-55-0x000007FEFC241000-0x000007FEFC243000-memory.dmpFilesize
8KB
-
memory/1212-56-0x000000013F920000-0x000000013FCAE000-memory.dmpFilesize
3.6MB
-
memory/1212-58-0x000000013F920000-0x000000013FCAE000-memory.dmpFilesize
3.6MB