Overview

overview

10

Static

static

9fe66773c8...17.exe

windows7_x64

10

9fe66773c8...17.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    172s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-02-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe

  • Size

    130KB

  • MD5

    aef8a240881322a88d3dafcfdb19ed8a

  • SHA1

    29abad9d694a43dafa56e589b07d007128f3063b

  • SHA256

    9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17

  • SHA512

    2a27de732fa573181aa2141edfca463324f60905ecc56702b6564d05dd7bf02d06201d4c71edb989ff89172016e254302752ae5ec5ab300176db569716c89268

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Drops desktop.ini file(s) 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1140
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe
      "C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:976
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1252

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1140-56-0x000000013F040000-0x000000013F3C3000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/1140-54-0x000000013F040000-0x000000013F3C3000-memory.dmp

      Filesize

      3.5MB

      Download