Analysis

  • max time kernel
    160s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-02-2022 05:30

General

  • Target

    7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

  • Size

    171KB

  • MD5

    d92a64dce52edbbf70f9a5ebd25600be

  • SHA1

    7e0a7323d4ba0454e6d54c4746dbac8373af9d0d

  • SHA256

    7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841

  • SHA512

    a629f2c4e38b4ee3a357f24da3f5e5310081bb46617f5e67a634e6308ce946860701879a114852eb2dc30d7d5696bcf01df9715cd3f689c2b19f879701600471

Score
10/10

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Drops desktop.ini file(s) 47 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1176
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1108
      • C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
        "C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"
        1⤵
        • Drops desktop.ini file(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
            3⤵
              PID:1652
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1136
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              3⤵
                PID:624
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1804
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                3⤵
                  PID:1068
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2096
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:2208
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop "samss" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:18428
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "samss" /y
                    3⤵
                      PID:18456
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "samss" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:18468
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      3⤵
                        PID:18496
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop "samss" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:18540
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        3⤵
                          PID:18564
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:18584
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "samss" /y
                          3⤵
                            PID:18608

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/960-54-0x0000000076151000-0x0000000076153000-memory.dmp

                        Filesize

                        8KB

                      • memory/1108-55-0x0000000030000000-0x000000003038A000-memory.dmp

                        Filesize

                        3.5MB