Overview

overview

10

Static

static

3533b142cd...49.exe

windows7_x64

10

3533b142cd...49.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-02-2022 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3533b142cd5b092a59d02aa677c344106be5f549e83a1be077822e5a8dcd4349.exe

  • Size

    119KB

  • MD5

    02da6d6d95eaf94583b666c2ed490d70

  • SHA1

    38b7074c06f3badbd7e86b7d32c1ddbccff43cb3

  • SHA256

    3533b142cd5b092a59d02aa677c344106be5f549e83a1be077822e5a8dcd4349

  • SHA512

    5ca227bf56e27f8c59f34340681b925a2976f337f646a8f1ba5138698b6f21e81001e27ab313c3fa75bfcf0c43d72f1825bb3ef237dc96e2a893b824e8ccfd4c

Score
10/10
ryukpersistenceransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau Ryuk No system is safe
Wallets

12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2372
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3340
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3412
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3492
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3692
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3088
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:2132
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3248
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:1148
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      1⤵
                        PID:2468
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                          PID:2344
                        • C:\Users\Admin\AppData\Local\Temp\3533b142cd5b092a59d02aa677c344106be5f549e83a1be077822e5a8dcd4349.exe
                          "C:\Users\Admin\AppData\Local\Temp\3533b142cd5b092a59d02aa677c344106be5f549e83a1be077822e5a8dcd4349.exe"
                          1⤵
                          • Checks computer location settings
                          • Drops file in Program Files directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3296
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3533b142cd5b092a59d02aa677c344106be5f549e83a1be077822e5a8dcd4349.exe" /f /reg:64
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1624
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3533b142cd5b092a59d02aa677c344106be5f549e83a1be077822e5a8dcd4349.exe" /f /reg:64
                              3⤵
                              • Adds Run key to start application
                              PID:1788
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                          1⤵
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3280
                        • C:\Windows\system32\backgroundTaskHost.exe
                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                          1⤵
                            PID:860

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/3280-133-0x00000205857A0000-0x00000205857B0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3280-134-0x0000020585D30000-0x0000020585D40000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3280-135-0x0000020588420000-0x0000020588424000-memory.dmp

                            Filesize

                            16KB

                            Download