Analysis
-
max time kernel
170s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe
-
Size
147KB
-
MD5
cb2ef6d62007213c431a87022d18716e
-
SHA1
5ce55bf28895f4f937326d50b316fbf40c26b506
-
SHA256
65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97
-
SHA512
23069fea1effda102ccfe22e8cc998bf5ca6dbb19a13b565964cf0d9d741f9059e14eb4c09d944c29c84c3a8b258c30764c68820d2a3223d34f039e7920fb1f0
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation.
More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder.
No decryption software is available in the public.
Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT DELETE readme files.
To confirm our honest intentions.Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure that one key decrypts everything.
2 files we unlock for free
To get info (decrypt your files) contact us at
[email protected]
or
[email protected]
BTC wallet:
19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op
Ryuk
No system is safe
Wallets
19AE1YN6Jo8ognKdJQ3xeQQL1mSZyX16op
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml taskhost.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm taskhost.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc taskhost.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png taskhost.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat taskhost.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg taskhost.exe File opened for modification C:\Program Files\CloseRegister.tmp taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 480 wrote to memory of 1680 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe 27 PID 480 wrote to memory of 1680 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe 27 PID 480 wrote to memory of 1680 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe 27 PID 480 wrote to memory of 1116 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe 13 PID 480 wrote to memory of 1172 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe 17 PID 1680 wrote to memory of 1160 1680 cmd.exe 29 PID 1680 wrote to memory of 1160 1680 cmd.exe 29 PID 1680 wrote to memory of 1160 1680 cmd.exe 29 PID 480 wrote to memory of 1680 480 65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe 27
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe"C:\Users\Admin\AppData\Local\Temp\65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\65160fc5b5542e6a1b6d6ea2194eb9d4545979bb31a632142195332044b42d97.exe" /f3⤵
- Adds Run key to start application
PID:1160
-
-