Overview

overview

10

Static

static

f635015423...82.exe

windows7_x64

10

f635015423...82.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    188s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 00:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f63501542310745baa8fa2026930590cd690b53bfddb940378eca685a2c5e682.exe

  • Size

    188KB

  • MD5

    81a657edce1fc7c97e2e3367e676339f

  • SHA1

    13a1686aaaba2c46792b468ca78f6f20a3817468

  • SHA256

    f63501542310745baa8fa2026930590cd690b53bfddb940378eca685a2c5e682

  • SHA512

    2233a938fa19a39d9052a2e339b18b140d9e258a9d3394219e60c636095566647faacba4ee72d007ade4c768cdece84b373f029bb19e53b3279e99f1204ee07e

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 45 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f63501542310745baa8fa2026930590cd690b53bfddb940378eca685a2c5e682.exe
    "C:\Users\Admin\AppData\Local\Temp\f63501542310745baa8fa2026930590cd690b53bfddb940378eca685a2c5e682.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\VhocDwe.exe
      "C:\Users\Admin\AppData\Local\Temp\VhocDwe.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          4⤵
            PID:4284
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            4⤵
              PID:4280
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
            3⤵
              PID:4248
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1240
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:4252
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:912
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                3⤵
                  PID:4272
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4036
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:4264
              • C:\Windows\system32\MusNotifyIcon.exe
                %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                1⤵
                • Checks processor information in registry
                PID:1004
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k NetworkService -p
                1⤵
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                PID:748

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
                MD5

                93a5aadeec082ffc1bca5aa27af70f52

                SHA1

                47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

                SHA256

                a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

                SHA512

                df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
                MD5

                1a5a69d7cb1789774945d277bd047dbe

                SHA1

                a371ee603fe3cafdeea8d91709ea23f44d25c551

                SHA256

                3db7ceb32a486e45f18490cd348c359a852dfe2a8e5d186c2f376acf46c3152a

                SHA512

                3a9ed562bc7a5d8c0045f084bee7d645b5aa6527be774bb78e37e99b4bc5d877332114c1bddfd4c3b542a76d98e4ec3c0ca04a16f5a5b62d2599b0c77273430a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\VhocDwe.exe
                MD5

                81a657edce1fc7c97e2e3367e676339f

                SHA1

                13a1686aaaba2c46792b468ca78f6f20a3817468

                SHA256

                f63501542310745baa8fa2026930590cd690b53bfddb940378eca685a2c5e682

                SHA512

                2233a938fa19a39d9052a2e339b18b140d9e258a9d3394219e60c636095566647faacba4ee72d007ade4c768cdece84b373f029bb19e53b3279e99f1204ee07e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\VhocDwe.exe
                MD5

                81a657edce1fc7c97e2e3367e676339f

                SHA1

                13a1686aaaba2c46792b468ca78f6f20a3817468

                SHA256

                f63501542310745baa8fa2026930590cd690b53bfddb940378eca685a2c5e682

                SHA512

                2233a938fa19a39d9052a2e339b18b140d9e258a9d3394219e60c636095566647faacba4ee72d007ade4c768cdece84b373f029bb19e53b3279e99f1204ee07e

                Download Submit