Overview

overview

10

Static

static

6eca3f416a...19.exe

windows7_x64

10

6eca3f416a...19.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    190s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe

  • Size

    123KB

  • MD5

    170e82abf8cd1e4c2f360795eeb4e78f

  • SHA1

    1b7864fe3338bfdc312c0159ee5cb3054d9d3add

  • SHA256

    6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619

  • SHA512

    83d9558a7b3bef56af0833f016f75f7b649b21ef300d0369ad0e2bb5bf11818c1a9cbe632c062fa7c896fb266392e595957806e9f90b12d42444bccfe3ee5639

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL Ryuk No system is safe
Wallets

12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Program crash 2 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2280
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2908
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2908 -s 2100
        2⤵
        • Program crash
        PID:4736
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      1⤵
        PID:3984
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
        1⤵
          PID:884
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of UnmapMainImage
          PID:1632
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3344
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:2812
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3056
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:2972
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2720
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 2720 -s 996
                    2⤵
                    • Program crash
                    PID:3392
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
                  1⤵
                    PID:2520
                  • C:\Windows\Explorer.EXE
                    C:\Windows\Explorer.EXE
                    1⤵
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:2428
                    • C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe
                      "C:\Users\Admin\AppData\Local\Temp\6eca3f416a08fde6688250dbd4ba4dfaa3df95a5d26b6d978dfbd67fbd159619.exe"
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1808
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                    1⤵
                      PID:2236
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Drops desktop.ini file(s)
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2216
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 476 -p 2908 -ip 2908
                      1⤵
                      • Suspicious use of NtCreateProcessExOtherParentProcess
                      • Suspicious use of WriteProcessMemory
                      PID:4764

                    Network

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2216-130-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

                      Filesize

                      3.5MB

                      Download

                    • memory/2236-131-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

                      Filesize

                      3.5MB

                      Download

                    • memory/2720-197-0x000001BC45A90000-0x000001BC45A98000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2720-198-0x000001BC458D0000-0x000001BC458D1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2972-132-0x00007FF62C970000-0x00007FF62CCF1000-memory.dmp

                      Filesize

                      3.5MB

                      Download