Overview

overview

10

Static

static

9513433ce6...16.exe

windows7_x64

10

9513433ce6...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe

  • Size

    121KB

  • MD5

    a846277644734a79f5367050e39508dd

  • SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

  • SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

  • SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
    "C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe
      "C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:3352
    • C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe
      "C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2976
    • C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe
      "C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:3912
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:22776
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:23912
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:1816
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:2556
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:14528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit
  • C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit
  • C:\DumpStack.log.tmp.RYK
    MD5

    5d670018a6eda9904c64bfa1c0878a38

    SHA1

    68e7a12e71388661888d2ee95979feb79e108eff

    SHA256

    70ed3b1007ea64181ceef859ff9d7f2699c8874f8de430a54be3015fe593bb9f

    SHA512

    9f7ed99a8c747b0533d0f573a65c327f9f97e229df3e5578abd239ebf112497126b67ebafafba710c293dc5b65ea31ec00d8dfb2a1b0d5e1a1b055ee55a2ceef

    Download Submit
  • C:\PerfLogs\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit
  • C:\ProgramData\USOShared\Logs\User\NotifyIcon.a9a32fd3-7ea9-4900-b975-017ab8f34ce8.1.etl
    MD5

    a7e393fceede2bf2ad7f4282c94a6ba9

    SHA1

    e2ceb7ecd3f28cd307b3a50f67e7793626fcdfb1

    SHA256

    5db8f6b750b44026299ec49979c01bb017d146b728f4b7a4de3cd4bbf170e05a

    SHA512

    a9fbaa1780abab83f8d867a91c0f49bef9270270a50b74cf00007f572a82e17c87f76915d36cacf5031e64f258cede617484e56dea3252fdb45c3b0e30d78460

    Download Submit
  • C:\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe
    MD5

    a846277644734a79f5367050e39508dd

    SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

    SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

    SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\EJrHskmnslan.exe
    MD5

    a846277644734a79f5367050e39508dd

    SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

    SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

    SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe
    MD5

    a846277644734a79f5367050e39508dd

    SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

    SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

    SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GaXXfGGstrep.exe
    MD5

    a846277644734a79f5367050e39508dd

    SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

    SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

    SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe
    MD5

    a846277644734a79f5367050e39508dd

    SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

    SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

    SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MZVdYWAsnlan.exe
    MD5

    a846277644734a79f5367050e39508dd

    SHA1

    cecc43a1fab79846fb2a1790a95ac6a4c5d66579

    SHA256

    9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

    SHA512

    92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

    Download Submit
  • C:\Users\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit
  • C:\odt\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit
  • C:\odt\config.xml.RYK
    MD5

    1c495e2c3469b7132c533aae84a1ad3a

    SHA1

    7ab3a30a1c228918370aa2fe74e5ce93663f3fcb

    SHA256

    80bac6ad62c0893c36f4c2ce5963f4e1331ab769975c2e6d11787d3c5ac7f2a0

    SHA512

    0769d4078a164d727c9c7ae2bc064d4ee83f136b594064563dbbdce88f5e12efa22b4bef309e74f84f827d07515c12ec4394727f1c9f1eef292c8c0b4af93d1f

    Download Submit
  • C:\users\Public\RyukReadMe.html
    MD5

    56c83e67197423d78c596861e82493a3

    SHA1

    0905d3a60afc6dcb442761479f0cb967fb3ab7b8

    SHA256

    1441d28792036d4606b8a2a7a23bfcdbefe0dbe798f73fa195c0d6178ef11b1e

    SHA512

    4881a7e924892bb95c6500cafc320573099647fd1f80176d12902d0ce26f278f328a6a8eaf1cf18b99e98745887886b362f860076ebf94e93555a3c7ebfdf056

    Download Submit