Overview

overview

10

Static

static

80bb8c391d...05.exe

windows7_x64

10

80bb8c391d...05.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    175s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-02-2022 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe

  • Size

    203KB

  • MD5

    8431a207fab74137df795fb46732544c

  • SHA1

    abb80c03d3aa69ac38f62a447636b0fc1bf21d45

  • SHA256

    80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05

  • SHA512

    98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

Score
10/10
ryukpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Path

C:\Documents and Settings\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] [email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1172
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
          3⤵
          • Adds Run key to start application
          PID:2256
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" stop "samss" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "samss" /y
          3⤵
            PID:1792
        • C:\Windows\System32\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          2⤵
            PID:97520
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              3⤵
                PID:99652
          • C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe
            "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe"
            1⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe
              "C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe" 8 LAN
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:820
              • C:\Windows\System32\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:756
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  4⤵
                    PID:2024
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe" /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:7188
                  • C:\Windows\system32\reg.exe
                    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe" /f
                    4⤵
                    • Adds Run key to start application
                    PID:7240
                • C:\Windows\System32\net.exe
                  "C:\Windows\System32\net.exe" stop "samss" /y
                  3⤵
                    PID:111712
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      4⤵
                        PID:112380
                  • C:\Windows\System32\net.exe
                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:676
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                      3⤵
                        PID:1260
                    • C:\Windows\System32\net.exe
                      "C:\Windows\System32\net.exe" stop "samss" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:276
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        3⤵
                          PID:1328
                      • C:\Windows\System32\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1944
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop "samss" /y
                          3⤵
                            PID:1348
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" /f
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1952
                          • C:\Windows\system32\reg.exe
                            REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" /f
                            3⤵
                            • Adds Run key to start application
                            PID:2264
                        • C:\Windows\System32\net.exe
                          "C:\Windows\System32\net.exe" stop "samss" /y
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:7992
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 stop "samss" /y
                            3⤵
                              PID:8016
                          • C:\Windows\System32\net.exe
                            "C:\Windows\System32\net.exe" stop "samss" /y
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:89504
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 stop "samss" /y
                              3⤵
                                PID:91140

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/1116-59-0x000000013FB90000-0x000000013FC26000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/1116-58-0x000000013FB90000-0x000000013FC26000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/1528-54-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

                            Filesize

                            8KB

                            Download