Analysis

  • max time kernel
    176s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 07:12

General

  • Target

    56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe

  • Size

    202KB

  • MD5

    ab390eb9f4302cb3ecfbf63027e177ca

  • SHA1

    1b84a4c57c6e54a13db6cd49b7e1673b97d02d0f

  • SHA256

    56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177

  • SHA512

    ce7152a2a844a7e2fc7134e5125823ebdcc355191f73d687af282b8f3b3f123a68990e51402d35d6ac6ebf44ac8abe54303cb381b946868316415b8caa1e2d77

Score
10/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" stop "spooler" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop "spooler" /y
        3⤵
          PID:5488
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5172
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
          3⤵
            PID:5536
        • C:\Windows\System32\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5228
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            3⤵
              PID:5544
          • C:\Windows\System32\net.exe
            "C:\Windows\System32\net.exe" stop "spooler" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5336
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "spooler" /y
              3⤵
                PID:5508
            • C:\Windows\System32\net.exe
              "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
              2⤵
                PID:5704
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                  3⤵
                    PID:5168
                • C:\Windows\System32\net.exe
                  "C:\Windows\System32\net.exe" stop "samss" /y
                  2⤵
                    PID:6096
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      3⤵
                        PID:5272
                    • C:\Windows\System32\net.exe
                      "C:\Windows\System32\net.exe" stop "spooler" /y
                      2⤵
                        PID:3908
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop "spooler" /y
                          3⤵
                            PID:1464
                        • C:\Windows\System32\net.exe
                          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                          2⤵
                            PID:2776
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                              3⤵
                                PID:5776
                            • C:\Windows\System32\net.exe
                              "C:\Windows\System32\net.exe" stop "samss" /y
                              2⤵
                                PID:4040
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 stop "samss" /y
                                  3⤵
                                    PID:4512
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                1⤵
                                  PID:2304
                                • C:\Windows\system32\taskhostw.exe
                                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                  1⤵
                                    PID:2344
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
                                    1⤵
                                      PID:2612
                                    • C:\Windows\system32\backgroundTaskHost.exe
                                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                      1⤵
                                        PID:3372
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious use of UnmapMainImage
                                        PID:3384
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                          PID:3516
                                        • C:\Windows\System32\RuntimeBroker.exe
                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                          1⤵
                                            PID:3128
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:772
                                            • C:\Windows\System32\RuntimeBroker.exe
                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                              1⤵
                                                PID:3008
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2908
                                                • C:\Windows\system32\WerFault.exe
                                                  C:\Windows\system32\WerFault.exe -u -p 2908 -s 3300
                                                  2⤵
                                                  • Program crash
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5784
                                              • C:\Windows\system32\DllHost.exe
                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                1⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2812
                                                • C:\Windows\system32\WerFault.exe
                                                  C:\Windows\system32\WerFault.exe -u -p 2812 -s 944
                                                  2⤵
                                                  • Program crash
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4476
                                              • C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe
                                                "C:\Users\Admin\AppData\Local\Temp\56cc8b989ac43641950fecc73f42f76bdc441bee531ecf3e8c71bf9b4a563177.exe"
                                                1⤵
                                                • Checks computer location settings
                                                • Drops desktop.ini file(s)
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:3172
                                                • C:\Windows\System32\net.exe
                                                  "C:\Windows\System32\net.exe" stop "spooler" /y
                                                  2⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4528
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 stop "spooler" /y
                                                    3⤵
                                                      PID:5520
                                                  • C:\Windows\System32\net.exe
                                                    "C:\Windows\System32\net.exe" stop "spooler" /y
                                                    2⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4752
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 stop "spooler" /y
                                                      3⤵
                                                        PID:5528
                                                    • C:\Windows\System32\net.exe
                                                      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                                      2⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:5284
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                                        3⤵
                                                          PID:5760
                                                      • C:\Windows\System32\net.exe
                                                        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                                        2⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:5440
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                                          3⤵
                                                            PID:5744
                                                        • C:\Windows\System32\net.exe
                                                          "C:\Windows\System32\net.exe" stop "samss" /y
                                                          2⤵
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:5500
                                                          • C:\Windows\system32\net1.exe
                                                            C:\Windows\system32\net1 stop "samss" /y
                                                            3⤵
                                                              PID:5656
                                                          • C:\Windows\System32\net.exe
                                                            "C:\Windows\System32\net.exe" stop "samss" /y
                                                            2⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:5564
                                                            • C:\Windows\system32\net1.exe
                                                              C:\Windows\system32\net1 stop "samss" /y
                                                              3⤵
                                                                PID:5752
                                                            • C:\Windows\System32\net.exe
                                                              "C:\Windows\System32\net.exe" stop "spooler" /y
                                                              2⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:5368
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop "spooler" /y
                                                                3⤵
                                                                  PID:2100
                                                              • C:\Windows\System32\net.exe
                                                                "C:\Windows\System32\net.exe" stop "spooler" /y
                                                                2⤵
                                                                  PID:5384
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 stop "spooler" /y
                                                                    3⤵
                                                                      PID:5588
                                                                  • C:\Windows\System32\net.exe
                                                                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                                                    2⤵
                                                                      PID:5728
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                                                        3⤵
                                                                          PID:1480
                                                                      • C:\Windows\System32\net.exe
                                                                        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                                                        2⤵
                                                                          PID:5720
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                                                            3⤵
                                                                              PID:540
                                                                          • C:\Windows\System32\net.exe
                                                                            "C:\Windows\System32\net.exe" stop "samss" /y
                                                                            2⤵
                                                                              PID:4600
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 stop "samss" /y
                                                                                3⤵
                                                                                  PID:5652
                                                                              • C:\Windows\System32\net.exe
                                                                                "C:\Windows\System32\net.exe" stop "samss" /y
                                                                                2⤵
                                                                                  PID:6136
                                                                                  • C:\Windows\system32\net1.exe
                                                                                    C:\Windows\system32\net1 stop "samss" /y
                                                                                    3⤵
                                                                                      PID:5664
                                                                                  • C:\Windows\System32\net.exe
                                                                                    "C:\Windows\System32\net.exe" stop "spooler" /y
                                                                                    2⤵
                                                                                      PID:2176
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 stop "spooler" /y
                                                                                        3⤵
                                                                                          PID:5580
                                                                                      • C:\Windows\System32\net.exe
                                                                                        "C:\Windows\System32\net.exe" stop "spooler" /y
                                                                                        2⤵
                                                                                          PID:4088
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 stop "spooler" /y
                                                                                            3⤵
                                                                                              PID:3100
                                                                                          • C:\Windows\System32\net.exe
                                                                                            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                                                                            2⤵
                                                                                              PID:3956
                                                                                              • C:\Windows\system32\net1.exe
                                                                                                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                                                                                3⤵
                                                                                                  PID:5244
                                                                                              • C:\Windows\System32\net.exe
                                                                                                "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                                                                                2⤵
                                                                                                  PID:2900
                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                                                                                    3⤵
                                                                                                      PID:4328
                                                                                                  • C:\Windows\System32\net.exe
                                                                                                    "C:\Windows\System32\net.exe" stop "samss" /y
                                                                                                    2⤵
                                                                                                      PID:3876
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 stop "samss" /y
                                                                                                        3⤵
                                                                                                          PID:2944
                                                                                                      • C:\Windows\System32\net.exe
                                                                                                        "C:\Windows\System32\net.exe" stop "samss" /y
                                                                                                        2⤵
                                                                                                          PID:3592
                                                                                                          • C:\Windows\system32\net1.exe
                                                                                                            C:\Windows\system32\net1 stop "samss" /y
                                                                                                            3⤵
                                                                                                              PID:3004
                                                                                                        • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                          1⤵
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1180
                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                            C:\Windows\system32\WerFault.exe -u -p 1180 -s 2796
                                                                                                            2⤵
                                                                                                            • Program crash
                                                                                                            • Checks processor information in registry
                                                                                                            • Enumerates system info in registry
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:5792
                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                          C:\Windows\system32\WerFault.exe -pss -s 460 -p 1180 -ip 1180
                                                                                                          1⤵
                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:5080
                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                          C:\Windows\system32\WerFault.exe -pss -s 504 -p 2908 -ip 2908
                                                                                                          1⤵
                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4556

                                                                                                        Network

                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • memory/2284-130-0x00007FF782600000-0x00007FF782995000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.6MB

                                                                                                        • memory/2304-131-0x00007FF782600000-0x00007FF782995000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.6MB

                                                                                                        • memory/2812-189-0x000001F80E3C0000-0x000001F80E3C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2812-188-0x000001F80E400000-0x000001F80E408000-memory.dmp

                                                                                                          Filesize

                                                                                                          32KB

                                                                                                        • memory/2812-151-0x000001F80E050000-0x000001F80E051000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2812-162-0x000001F80E410000-0x000001F80E411000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2812-160-0x000001F80E420000-0x000001F80E428000-memory.dmp

                                                                                                          Filesize

                                                                                                          32KB

                                                                                                        • memory/2812-149-0x000001F80E3C0000-0x000001F80E3C8000-memory.dmp

                                                                                                          Filesize

                                                                                                          32KB