Analysis

  • max time kernel
    188s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-02-2022 08:45

General

  • Target

    30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe

  • Size

    208KB

  • MD5

    c596f71c6048997c88e80b57f045b891

  • SHA1

    ed2b5d11f20648a49a11be1795be5632c412879d

  • SHA256

    30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122

  • SHA512

    e18effe825ca1355bafcaf1da41bdf0485bab3af2898d963c059b922f03c2128756da679667b6480234bb3daed4b2e2a366241782f9f4b404ca7897683cc11eb

Score
10/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 9 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2908
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3516
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3116
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:228
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 228 -s 3008
          2⤵
          • Program crash
          PID:5260
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
        1⤵
          PID:116
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Modifies registry class
          PID:2900
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:2992
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2732 -s 976
              2⤵
              • Program crash
              PID:4292
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
            1⤵
              PID:2536
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2296
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                1⤵
                  PID:2252
                • C:\Windows\system32\sihost.exe
                  sihost.exe
                  1⤵
                  • Drops desktop.ini file(s)
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2240
                  • C:\Windows\System32\net.exe
                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4700
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                      3⤵
                        PID:4892
                    • C:\Windows\System32\net.exe
                      "C:\Windows\System32\net.exe" stop "samss" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4928
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        3⤵
                          PID:1608
                      • C:\Windows\System32\net.exe
                        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5968
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                          3⤵
                            PID:6020
                        • C:\Windows\System32\net.exe
                          "C:\Windows\System32\net.exe" stop "samss" /y
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:6040
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 stop "samss" /y
                            3⤵
                              PID:6092
                        • C:\Users\Admin\AppData\Local\Temp\30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe
                          "C:\Users\Admin\AppData\Local\Temp\30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122.exe"
                          1⤵
                          • Checks computer location settings
                          • Drops desktop.ini file(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2036
                          • C:\Windows\System32\net.exe
                            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4864
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                              3⤵
                                PID:2204
                            • C:\Windows\System32\net.exe
                              "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4856
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                3⤵
                                  PID:5072
                              • C:\Windows\System32\net.exe
                                "C:\Windows\System32\net.exe" stop "samss" /y
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3200
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 stop "samss" /y
                                  3⤵
                                    PID:5568
                                • C:\Windows\System32\net.exe
                                  "C:\Windows\System32\net.exe" stop "samss" /y
                                  2⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4384
                                  • C:\Windows\system32\net1.exe
                                    C:\Windows\system32\net1 stop "samss" /y
                                    3⤵
                                      PID:5576
                                  • C:\Windows\System32\net.exe
                                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:6140
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                      3⤵
                                        PID:2628
                                    • C:\Windows\System32\net.exe
                                      "C:\Windows\System32\net.exe" stop "samss" /y
                                      2⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:5272
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 stop "samss" /y
                                        3⤵
                                          PID:2160
                                      • C:\Windows\System32\net.exe
                                        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                                        2⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:5264
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                                          3⤵
                                            PID:2308
                                        • C:\Windows\System32\net.exe
                                          "C:\Windows\System32\net.exe" stop "samss" /y
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4464
                                          • C:\Windows\system32\net1.exe
                                            C:\Windows\system32\net1 stop "samss" /y
                                            3⤵
                                              PID:396
                                        • C:\Windows\system32\MusNotifyIcon.exe
                                          %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                                          1⤵
                                          • Checks processor information in registry
                                          PID:656
                                        • C:\Windows\system32\WerFault.exe
                                          C:\Windows\system32\WerFault.exe -pss -s 408 -p 228 -ip 228
                                          1⤵
                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                          • Suspicious use of WriteProcessMemory
                                          PID:4484
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:4896
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p
                                          1⤵
                                          • Modifies data under HKEY_USERS
                                          PID:4988

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/2240-130-0x00007FF764430000-0x00007FF7647C7000-memory.dmp

                                          Filesize

                                          3.6MB

                                        • memory/2252-131-0x00007FF764430000-0x00007FF7647C7000-memory.dmp

                                          Filesize

                                          3.6MB