Analysis

  • max time kernel
    163s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-03-2022 06:51

General

  • Target

    aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe

  • Size

    808KB

  • MD5

    50cc057a164640715e70a43979175a3f

  • SHA1

    690d83a764b7f4b65232e25c410c02cc5901ad72

  • SHA256

    aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

  • SHA512

    ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> unumschooler1972@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

unumschooler1972@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
unumschooler1972@protonmail.com balance of shadow universe Ryuk
Emails

unumschooler1972@protonmail.com

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
    "C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe
      "C:\Users\Admin\AppData\Local\Temp\aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5.exe"
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
        "C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe" 8 LAN
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
          "C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe" 8 LAN
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "samss" /y
              6⤵
                PID:2252
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              5⤵
                PID:73872
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  6⤵
                    PID:73900
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1440
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                4⤵
                  PID:1684
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:364
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  4⤵
                    PID:1696
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1088
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                    4⤵
                      PID:1812
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "samss" /y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1836
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      4⤵
                        PID:1392
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop "samss" /y
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:22508
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        4⤵
                          PID:22456
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        3⤵
                          PID:28496
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop "samss" /y
                            4⤵
                              PID:28428
                          • C:\Windows\SysWOW64\net.exe
                            "C:\Windows\System32\net.exe" stop "samss" /y
                            3⤵
                              PID:66508
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop "samss" /y
                                4⤵
                                  PID:66532
                              • C:\Windows\SysWOW64\net.exe
                                "C:\Windows\System32\net.exe" stop "samss" /y
                                3⤵
                                  PID:69032
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 stop "samss" /y
                                    4⤵
                                      PID:69056

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Discovery

                              Query Registry

                              1
                              T1012

                              Peripheral Device Discovery

                              1
                              T1120

                              System Information Discovery

                              2
                              T1082

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
                                MD5

                                93a5aadeec082ffc1bca5aa27af70f52

                                SHA1

                                47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

                                SHA256

                                a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

                                SHA512

                                df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

                              • C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
                                MD5

                                3b40f517a25611205b0ba7af8ae225f1

                                SHA1

                                aa7e89f3d1202b37ff89d629ebe10dae8c4e14db

                                SHA256

                                385752904c61abf42b315b172c40b4a50d50cc58c94077cff0815c834e1ac013

                                SHA512

                                8d17239868ef33175214e14fc5ad245c9d5505deaf8747c079e6e05bca1c77e62bbacc5af8519dccae63b8d4e959ed32d3748d62de1aa3f7b256c35524af9f52

                              • C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
                                MD5

                                50cc057a164640715e70a43979175a3f

                                SHA1

                                690d83a764b7f4b65232e25c410c02cc5901ad72

                                SHA256

                                aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

                                SHA512

                                ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

                              • C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
                                MD5

                                50cc057a164640715e70a43979175a3f

                                SHA1

                                690d83a764b7f4b65232e25c410c02cc5901ad72

                                SHA256

                                aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

                                SHA512

                                ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

                              • C:\Users\Admin\AppData\Local\Temp\WZcPXBA.exe
                                MD5

                                50cc057a164640715e70a43979175a3f

                                SHA1

                                690d83a764b7f4b65232e25c410c02cc5901ad72

                                SHA256

                                aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

                                SHA512

                                ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

                              • \Users\Admin\AppData\Local\Temp\WZcPXBA.exe
                                MD5

                                50cc057a164640715e70a43979175a3f

                                SHA1

                                690d83a764b7f4b65232e25c410c02cc5901ad72

                                SHA256

                                aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

                                SHA512

                                ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

                              • \Users\Admin\AppData\Local\Temp\WZcPXBA.exe
                                MD5

                                50cc057a164640715e70a43979175a3f

                                SHA1

                                690d83a764b7f4b65232e25c410c02cc5901ad72

                                SHA256

                                aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

                                SHA512

                                ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

                              • \Users\Admin\AppData\Local\Temp\WZcPXBA.exe
                                MD5

                                50cc057a164640715e70a43979175a3f

                                SHA1

                                690d83a764b7f4b65232e25c410c02cc5901ad72

                                SHA256

                                aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

                                SHA512

                                ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

                              • memory/304-58-0x0000000030000000-0x0000000030170000-memory.dmp
                                Filesize

                                1.4MB

                              • memory/1400-67-0x0000000030000000-0x0000000030170000-memory.dmp
                                Filesize

                                1.4MB

                              • memory/1772-55-0x00000000762C1000-0x00000000762C3000-memory.dmp
                                Filesize

                                8KB

                              • memory/1772-56-0x0000000000270000-0x00000000002A3000-memory.dmp
                                Filesize

                                204KB