Analysis
-
max time kernel
169s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/02/2022, 09:36 UTC
Static task
static1
Behavioral task
behavioral1
Sample
1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe
-
Size
170KB
-
MD5
87f52df87c03ef416af719d3b2210497
-
SHA1
0f8047b08834f8a229992af67f1f6eb232d65941
-
SHA256
1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b
-
SHA512
01675e5440d7c32b592eb92b233ba236eab1dd2e72bc19d3054d88c84539a5b80674d67c2c655b9f9a9731ec380ed8c65db5a66af1f449f5f7d3e4e5aa62aa5c
Score
10/10
Malware Config
Extracted
Path
C:\RyukReadMe.txt
Family
ryuk
Ransom Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
WayneEvenson@protonmail.com
or
WayneEvenson@tutanota.com
BTC wallet:
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Ryuk
No system is safe
Emails
WayneEvenson@protonmail.com
WayneEvenson@tutanota.com
Wallets
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg taskhost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml taskhost.exe File opened for modification C:\Program Files\Common Files\System\en-US\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg taskhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif taskhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml taskhost.exe File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 524 wrote to memory of 1148 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe 27 PID 524 wrote to memory of 1148 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe 27 PID 524 wrote to memory of 1148 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe 27 PID 524 wrote to memory of 1220 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe 12 PID 524 wrote to memory of 1312 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe 11 PID 524 wrote to memory of 1148 524 1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe 27 PID 1148 wrote to memory of 1208 1148 cmd.exe 29 PID 1148 wrote to memory of 1208 1148 cmd.exe 29 PID 1148 wrote to memory of 1208 1148 cmd.exe 29
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1312
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
PID:1220
-
C:\Users\Admin\AppData\Local\Temp\1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe"C:\Users\Admin\AppData\Local\Temp\1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1d7647c565c6efb818aff1500104584d926c6fac3be19f56fd6106c17f5e2e9b.exe" /f3⤵
- Adds Run key to start application
PID:1208
-
-