Analysis
-
max time kernel
173s -
max time network
223s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Resource
win10v2004-en-20220113
General
-
Target
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
-
Size
117KB
-
MD5
045eb328ff30b09cebd6fe3c031db7bc
-
SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
-
SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
-
SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
Processes:
MmFTIiMoZrep.exenVpoSqBRLlan.exekJGwghwrBlan.exepid process 2876 MmFTIiMoZrep.exe 2800 nVpoSqBRLlan.exe 5040 kJGwghwrBlan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exepid process 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exedescription pid process target process PID 1700 wrote to memory of 2876 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe MmFTIiMoZrep.exe PID 1700 wrote to memory of 2876 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe MmFTIiMoZrep.exe PID 1700 wrote to memory of 2876 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe MmFTIiMoZrep.exe PID 1700 wrote to memory of 2800 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe nVpoSqBRLlan.exe PID 1700 wrote to memory of 2800 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe nVpoSqBRLlan.exe PID 1700 wrote to memory of 2800 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe nVpoSqBRLlan.exe PID 1700 wrote to memory of 5040 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe kJGwghwrBlan.exe PID 1700 wrote to memory of 5040 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe kJGwghwrBlan.exe PID 1700 wrote to memory of 5040 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe kJGwghwrBlan.exe PID 1700 wrote to memory of 7544 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe icacls.exe PID 1700 wrote to memory of 7544 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe icacls.exe PID 1700 wrote to memory of 7544 1700 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe"C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe" 9 REP2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe"C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe"C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe" 8 LAN2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exeMD5
045eb328ff30b09cebd6fe3c031db7bc
SHA1b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA5126f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
-
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exeMD5
045eb328ff30b09cebd6fe3c031db7bc
SHA1b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA5126f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
-
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exeMD5
045eb328ff30b09cebd6fe3c031db7bc
SHA1b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA5126f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
-
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exeMD5
045eb328ff30b09cebd6fe3c031db7bc
SHA1b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA5126f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
-
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exeMD5
045eb328ff30b09cebd6fe3c031db7bc
SHA1b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA5126f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
-
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exeMD5
045eb328ff30b09cebd6fe3c031db7bc
SHA1b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA5126f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9
-
C:\users\Public\RyukReadMe.htmlMD5
2ebc1b0ea162294be2a9d7466ebb5a90
SHA10383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA2566ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65