Analysis

  • max time kernel
    177s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-02-2022 07:58

General

  • Target

    43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe

  • Size

    170KB

  • MD5

    08fda98dfedd3e304a7128e4918fe1bc

  • SHA1

    087793d8fdae310ee195f3e4c2d93395318f22a2

  • SHA256

    43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5

  • SHA512

    e39b8cca6edd9540e4259974d9dda28edf14a4de1bc0c1d5f4f8f06bde02c24dfc3e439be606a201946d45446f73eae9b005b0e681f6128d41fe3cd29b947ce4

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1344
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Drops file in Program Files directory
      PID:1228
    • C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
      "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f
          3⤵
          • Adds Run key to start application
          PID:1028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/752-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp
      Filesize

      8KB

    • memory/1228-55-0x000000013F8A0000-0x000000013FC2E000-memory.dmp
      Filesize

      3.6MB

    • memory/1228-57-0x000000013F8A0000-0x000000013FC2E000-memory.dmp
      Filesize

      3.6MB