Overview

overview

10

Static

static

b7dbb846d3...32.exe

windows7_x64

10

b7dbb846d3...32.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    193s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-02-2022 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

  • Size

    168KB

  • MD5

    26ffd8020e1ce334c259ff92457c8d66

  • SHA1

    c62df79f5e481720ecd3d835d476f246759e6149

  • SHA256

    b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32

  • SHA512

    9731d30073c293f20d50f9202c1b5266bbd13f6a2c77794b0e5fbb3765a01bd807a327063edf36533c880b0da4d57e4b8d99518e34f559453f83889ec21f6de5

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3424
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3708
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3508
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3348
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:3260
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              1⤵
                PID:1324
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:392
                • C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
                  "C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe"
                  1⤵
                  • Checks computer location settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4904
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2784
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                      3⤵
                        PID:3916
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1272
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                        3⤵
                          PID:2412
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4452
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "samss" /y
                          3⤵
                            PID:1704
                        • C:\Windows\SysWOW64\net.exe
                          "C:\Windows\System32\net.exe" stop "samss" /y
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4752
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop "samss" /y
                            3⤵
                              PID:860
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3660
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                            1⤵
                              PID:2972
                            • C:\Windows\system32\taskhostw.exe
                              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                              1⤵
                                PID:2432
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                1⤵
                                  PID:2344
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                  1⤵
                                    PID:2336

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads