Analysis Overview
SHA256
6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096
Threat Level: Known bad
The file 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 06:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 06:01
Reported
2022-02-20 06:30
Platform
win7-en-20211208
Max time kernel
181s
Max time network
142s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
"C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe"
C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe
"C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/960-54-0x0000000075761000-0x0000000075763000-memory.dmp
\Users\Admin\AppData\Local\Temp\NUTazZa.exe
| MD5 | d0020f73e4567c9a96b92c78419ed215 |
| SHA1 | 10766dfbedd4ffba1c23bad0d83324bd04d2700a |
| SHA256 | 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096 |
| SHA512 | fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a |
\Users\Admin\AppData\Local\Temp\NUTazZa.exe
| MD5 | d0020f73e4567c9a96b92c78419ed215 |
| SHA1 | 10766dfbedd4ffba1c23bad0d83324bd04d2700a |
| SHA256 | 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096 |
| SHA512 | fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a |
C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe
| MD5 | d0020f73e4567c9a96b92c78419ed215 |
| SHA1 | 10766dfbedd4ffba1c23bad0d83324bd04d2700a |
| SHA256 | 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096 |
| SHA512 | fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 8c33ca1dad936c07e8e48b3e8d0862d5 |
| SHA1 | 7923dfab163b61fa58a77b27c398baacd73b03ae |
| SHA256 | 866a171150877caf5af6011ec36f9dab92d9faae37e15ba58d1054d2fba281cb |
| SHA512 | 6604d5328034671a105b569ebb2dc533e5b162e6d291da056a0a376c0d5c82b39a7e1093817ced4c25a3d68f839e1237b17586e26328a87aef648caed651fdfa |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 06:01
Reported
2022-02-20 06:30
Platform
win10v2004-en-20220113
Max time kernel
175s
Max time network
211s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
"C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe"
C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe
"C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.10:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe
| MD5 | d0020f73e4567c9a96b92c78419ed215 |
| SHA1 | 10766dfbedd4ffba1c23bad0d83324bd04d2700a |
| SHA256 | 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096 |
| SHA512 | fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a |
C:\Users\Admin\AppData\Local\Temp\vSCrxOE.exe
| MD5 | d0020f73e4567c9a96b92c78419ed215 |
| SHA1 | 10766dfbedd4ffba1c23bad0d83324bd04d2700a |
| SHA256 | 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096 |
| SHA512 | fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 8c33ca1dad936c07e8e48b3e8d0862d5 |
| SHA1 | 7923dfab163b61fa58a77b27c398baacd73b03ae |
| SHA256 | 866a171150877caf5af6011ec36f9dab92d9faae37e15ba58d1054d2fba281cb |
| SHA512 | 6604d5328034671a105b569ebb2dc533e5b162e6d291da056a0a376c0d5c82b39a7e1093817ced4c25a3d68f839e1237b17586e26328a87aef648caed651fdfa |