Analysis

  • max time kernel
    175s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-02-2022 06:01

General

  • Target

    6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe

  • Size

    186KB

  • MD5

    d0020f73e4567c9a96b92c78419ed215

  • SHA1

    10766dfbedd4ffba1c23bad0d83324bd04d2700a

  • SHA256

    6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096

  • SHA512

    fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> eninteste1987@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

eninteste1987@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
eninteste1987@protonmail.com balance of shadow universe Ryuk
Emails

eninteste1987@protonmail.com

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
    "C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe
      "C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4192
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          4⤵
            PID:4056
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:828
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            4⤵
              PID:2612
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
            3⤵
              PID:4028
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:1640
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4384
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                3⤵
                  PID:3848
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2580
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:3688
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:9952
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                    3⤵
                      PID:10120
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:9944
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                      3⤵
                        PID:10156
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop "samss" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:10008
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        3⤵
                          PID:10136
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:10024
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "samss" /y
                          3⤵
                            PID:10148

                      Network

                      • flag-us
                        DNS
                        14.110.152.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        14.110.152.52.in-addr.arpa
                        IN PTR
                        Response
                      • 13.89.179.10:443
                        40 B
                        1
                      • 13.107.4.50:80
                        322 B
                        7
                      • 13.107.4.50:80
                        322 B
                        7
                      • 8.8.8.8:53
                        14.110.152.52.in-addr.arpa
                        dns
                        72 B
                        146 B
                        1
                        1

                        DNS Request

                        14.110.152.52.in-addr.arpa

                      • 10.127.0.1:7
                        vSCrxOE.exe
                        130 B
                        1
                      • 154.61.71.51:7
                        vSCrxOE.exe
                        130 B
                        1
                      • 224.0.0.22:7
                        vSCrxOE.exe
                        130 B
                        1
                      • 224.0.0.251:7
                        vSCrxOE.exe
                        130 B
                        1
                      • 224.0.0.252:7
                        vSCrxOE.exe
                        130 B
                        1
                      • 239.255.255.250:7
                        vSCrxOE.exe

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.