Overview

overview

10

Static

static

8fe01ec7a4...dd.exe

windows7_x64

10

8fe01ec7a4...dd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    183s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe

  • Size

    119KB

  • MD5

    fc5473e4320cedbb353b77955ecf2366

  • SHA1

    081a837503dfa82c177ef1229b2c00215d676442

  • SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

  • SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'hKC4IfX'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe
      "C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:3352
    • C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe
      "C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:408
    • C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe
      "C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:3460
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:27704
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:27716
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2588
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:19596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit

  • C:\DumpStack.log.tmp
    MD5

    8fe235bba7667b6f7d85d5563dcd8b4b

    SHA1

    55671f13fb9cdf2652273573d7654cf69a3b0821

    SHA256

    d9334f436e8623621bf987b09aa2ed95f7f91499bdc7e0c21bd63fe947567258

    SHA512

    7cb563c04922f15953abade70c80f4ffabdfd070f97edc6b250c6e6ea26c4e55972e3a56b815a9aa0d2e19242ffd147d36cbc077d00bd2d7315adcd9297350ba

    Download Submit

  • C:\PerfLogs\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit

  • C:\ProgramData\USOShared\Logs\User\NotifyIcon.ea8a7b8e-02e5-435f-9264-f01ff78d8e8b.1.etl
    MD5

    6f34c815b46f5989efdf421b1d034e9a

    SHA1

    c599488a20fadb81bfa6da680e99dc10ebe684b9

    SHA256

    abd1d02b549ed7d1f54ca91be84474c7e8637bb0852d306b97bb1be23145669a

    SHA512

    2e4de185f94809ecb44932a1792eac4aa9150baa95b86b836aa52b109be68a18a48c553cba3a1ffd07e1e9aeae627304ed17c55e5db0a8e37e38603624db70ba

    Download Submit

  • C:\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe
    MD5

    fc5473e4320cedbb353b77955ecf2366

    SHA1

    081a837503dfa82c177ef1229b2c00215d676442

    SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

    SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\npuePOEKgrep.exe
    MD5

    fc5473e4320cedbb353b77955ecf2366

    SHA1

    081a837503dfa82c177ef1229b2c00215d676442

    SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

    SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe
    MD5

    fc5473e4320cedbb353b77955ecf2366

    SHA1

    081a837503dfa82c177ef1229b2c00215d676442

    SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

    SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zUIamlpUklan.exe
    MD5

    fc5473e4320cedbb353b77955ecf2366

    SHA1

    081a837503dfa82c177ef1229b2c00215d676442

    SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

    SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe
    MD5

    fc5473e4320cedbb353b77955ecf2366

    SHA1

    081a837503dfa82c177ef1229b2c00215d676442

    SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

    SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zdRavdrYslan.exe
    MD5

    fc5473e4320cedbb353b77955ecf2366

    SHA1

    081a837503dfa82c177ef1229b2c00215d676442

    SHA256

    8fe01ec7a48e40dc8292e1ee22db0e59b549c46cb3163447f920a420bfb91cdd

    SHA512

    3f378525a049557b46193b4f0b4611fbb73cac095983ac75da46f5574ba829cc51bb5c3ab6747591607e73ce89a77da0843e1c6098be7e56c7a3a5fa8578f7c1

    Download Submit

  • C:\Users\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit

  • C:\odt\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit

  • C:\odt\config.xml
    MD5

    5d5a885c4f1a8032e79406b386604092

    SHA1

    820b9ba556167d367a93d5576e0bc167ba51197f

    SHA256

    5c39615688316f2748a354cc81174dc3e2db7bc6718e4e3224d6861daba89ee7

    SHA512

    5347d89d1c676d520154969c3235e9f11db4d211fd903e7162a8ba846a5f4f7d0a58576c720e3305fc6b9bb6c967e8578b7f83ffd44e276e0faf19e8fa5b017b

    Download Submit

  • C:\users\Public\RyukReadMe.html
    MD5

    f8d3ea8320a566aaf69b624c5e4dbe02

    SHA1

    d51a8ef0d34a40806297de5faef9ae73f3857823

    SHA256

    b05dd37cfa30a42eba05a0a109c1a5ddc8004bc0f45f76bd8b71fab214576bac

    SHA512

    1bcf121dbad592da9fc6fea1cdac586965048b334a68c90d043dd1a1457f936bd25b503631ea693289880b49caa9a85b13612944cfe85199b18c6ed967f874bf

    Download Submit