Analysis

  • max time kernel
    177s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-02-2022 05:20

General

  • Target

    7e02efaf98a1343c6a41a9e084c62567f99386a4046f68a658a8d667c3834305.exe

  • Size

    170KB

  • MD5

    ad6320f406222e3b6d6e717146370472

  • SHA1

    74fd06ff2b99d7df9044b4ea04312ffcb76e6e67

  • SHA256

    7e02efaf98a1343c6a41a9e084c62567f99386a4046f68a658a8d667c3834305

  • SHA512

    38e15da45d188ca86872780754c26efc89610e8adf14a88e2271af7226f01757e085ce2938a4ea5f1439453cbf5cb7091ce3a21e36488159f82ca4f2b64989d5

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Drops file in Program Files directory
    PID:1108
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1176
    • C:\Users\Admin\AppData\Local\Temp\7e02efaf98a1343c6a41a9e084c62567f99386a4046f68a658a8d667c3834305.exe
      "C:\Users\Admin\AppData\Local\Temp\7e02efaf98a1343c6a41a9e084c62567f99386a4046f68a658a8d667c3834305.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7e02efaf98a1343c6a41a9e084c62567f99386a4046f68a658a8d667c3834305.exe" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7e02efaf98a1343c6a41a9e084c62567f99386a4046f68a658a8d667c3834305.exe" /f
          3⤵
          • Adds Run key to start application
          PID:1616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1108-55-0x000000013FEB0000-0x000000014023E000-memory.dmp

      Filesize

      3.6MB

    • memory/1108-57-0x000000013FEB0000-0x000000014023E000-memory.dmp

      Filesize

      3.6MB

    • memory/1452-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

      Filesize

      8KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.