Analysis Overview
SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013
Threat Level: Known bad
The file 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:11
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:11
Reported
2022-02-20 05:58
Platform
win10v2004-en-20220113
Max time kernel
178s
Max time network
232s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
"C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:11
Reported
2022-02-20 05:57
Platform
win7-en-20211208
Max time kernel
201s
Max time network
98s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
"C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe"
C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
"C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 12828
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/672-54-0x0000000074F01000-0x0000000074F03000-memory.dmp
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | be46918f25b1aa58c459770d493a5b68 |
| SHA1 | daf0a7ac0dc43646b8da0bdc775e78287820fed5 |
| SHA256 | c34a56230ecb6d340795fed9f38c34e43b1faed0770bfa852ae5b1129883dec9 |
| SHA512 | 89ae71f3058537ee1c67d4a2b1820584fe5c4698df81e6c4f9e62c638cb96e95c9c2424d1bf62b7f42cac5ebb5af507ca70aca66676ae4765864191914473342 |
memory/1120-61-0x0000000002690000-0x00000000026B9000-memory.dmp
memory/1120-62-0x00000000026C0000-0x00000000026D4000-memory.dmp
memory/1120-65-0x0000000002720000-0x000000000272B000-memory.dmp
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
| MD5 | 567cf2eec7a754e6ac98f0f738418caa |
| SHA1 | 70a1b782865156a338894e9466f951143927703f |
| SHA256 | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013 |
| SHA512 | 867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88 |
memory/15488-71-0x00000000006F0000-0x00000000006F1000-memory.dmp