Analysis
-
max time kernel
189s -
max time network
226s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 06:10
General
-
Target
6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
-
Size
184KB
-
MD5
e04ed93986095d0b9def687de63a682b
-
SHA1
ba09fe2167f7b75d659f0c8723f44b875a23a91b
-
SHA256
6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20
-
SHA512
14dab6fe8654b2e2ffb8ddeb39f7cd6b0d9ffff8665eff59f8024f4a0cd56110075550164757d4f8bb25de1902062bf9e89e15057bd2b716d636c244714df420
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Family
ryuk
Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe"C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken