Analysis
-
max time kernel
4294211s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
05/03/2022, 21:08
General
-
Target
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
-
Size
575KB
-
MD5
6cad2f7dc809b9353a31753a438aef4e
-
SHA1
459d816bb020f5da8257076a36d0ffd1f1f02d76
-
SHA256
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
-
SHA512
a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8
Score
10/10
Malware Config
Extracted
Path
C:\users\Public\RyukReadMe.html
Family
ryuk
Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�
Emails
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
[email protected]
balance of shadow universe
Ryuk
Emails
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB