Overview

overview

10

Static

static

ab5b885396...5f.exe

windows7_x64

10

ab5b885396...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    204s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-02-2022 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe

  • Size

    168KB

  • MD5

    8ebc7a62a10f80deba528943af806064

  • SHA1

    03ded58db9c70793fe4ef1837078ff2780358efb

  • SHA256

    ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f

  • SHA512

    ff00db4bee7997a561ec8a2281299191f9012e361ad4f593c9706bf43d7f97466bcf1de3da2674fa42b3cd8091ad3a680c915392ae9f595363214c78ef1862a2

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe
    "C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
          PID:2168
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "samss" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "samss" /y
          3⤵
            PID:2708
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:8572
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            3⤵
              PID:8596
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:8632
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              3⤵
                PID:8656

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/668-54-0x0000000076451000-0x0000000076453000-memory.dmp

            Filesize

            8KB

            Download