Analysis Overview
SHA256
ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f
Threat Level: Known bad
The file ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f was found to be: Known bad.
Malicious Activity Summary
Ryuk
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 03:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 03:26
Reported
2022-02-20 03:56
Platform
win7-en-20211208
Max time kernel
204s
Max time network
28s
Command Line
Signatures
Ryuk
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe
"C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/668-54-0x0000000076451000-0x0000000076453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 03:26
Reported
2022-02-20 03:56
Platform
win10v2004-en-20220113
Max time kernel
200s
Max time network
225s
Command Line
Signatures
Ryuk
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe
"C:\Users\Admin\AppData\Local\Temp\ab5b8853961dbd4013c2fb44403eba2ac32abfbf4f65e2d32d83c5c642591e5f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 52.252.42.28:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |