Overview

overview

10

Static

static

7c1e0597dd...20.exe

windows7_x64

10

7c1e0597dd...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    192s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe

  • Size

    126KB

  • MD5

    fca20e17ce8c0c3f3c78d82c953472ed

  • SHA1

    c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6

  • SHA256

    7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20

  • SHA512

    5a38ab6f0401c57e0ab1a0f889fe4db8b3fbeda0abbbb87d21da870de604615446a83f6b156ecb36d9101072d429ce7589439916404bc2e76b751847b8947152

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2948
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of UnmapMainImage
    PID:2932
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3372
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:2172
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:3024
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2816 -s 2944
            2⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:4508
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2712 -s 880
            2⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:2912
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
          1⤵
            PID:2528
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2412
            • C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
              "C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4044
          • C:\Windows\system32\taskhostw.exe
            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
            1⤵
              PID:2276
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k UnistackSvcGroup
              1⤵
                PID:2224
              • C:\Windows\system32\sihost.exe
                sihost.exe
                1⤵
                • Drops desktop.ini file(s)
                • Suspicious use of AdjustPrivilegeToken
                PID:2204
              • C:\Windows\system32\backgroundTaskHost.exe
                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                1⤵
                  PID:3760
                • C:\Windows\system32\MusNotifyIcon.exe
                  %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                  1⤵
                    PID:3508
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                    1⤵
                      PID:2984
                    • C:\Windows\system32\backgroundTaskHost.exe
                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                      1⤵
                        PID:2676
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -pss -s 444 -p 2816 -ip 2816
                        1⤵
                        • Suspicious use of NtCreateProcessExOtherParentProcess
                        • Suspicious use of WriteProcessMemory
                        PID:5072
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k NetworkService -p
                        1⤵
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        PID:4572

                      Network

                      MITRE ATT&CK Matrix

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/2204-130-0x00007FF7C2FF0000-0x00007FF7C3372000-memory.dmp

                        Filesize

                        3.5MB

                        Download

                      • memory/2224-131-0x00007FF7C2FF0000-0x00007FF7C3372000-memory.dmp

                        Filesize

                        3.5MB

                        Download

                      • memory/2412-132-0x00007FF7C2FF0000-0x00007FF7C3372000-memory.dmp

                        Filesize

                        3.5MB

                        Download