Analysis
-
max time kernel
189s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
Resource
win10v2004-20220414-en
General
-
Target
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
-
Size
1.2MB
-
MD5
0ecf16ceba335bcdc023ab71472a247f
-
SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364
-
SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
-
SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
aragycred1983@protonmail.com
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/2144-138-0x0000000002360000-0x0000000002384000-memory.dmp dave -
Executes dropped EXE 3 IoCs
Processes:
RHddzbjDzlan.exexDWSpQhpOlan.exexaMrJcRMulan.exepid process 1752 RHddzbjDzlan.exe 3912 xDWSpQhpOlan.exe 2548 xaMrJcRMulan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid process 3848 icacls.exe 800 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exeRHddzbjDzlan.exexDWSpQhpOlan.exexaMrJcRMulan.exepid process 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe 1752 RHddzbjDzlan.exe 3912 xDWSpQhpOlan.exe 2548 xaMrJcRMulan.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exedescription pid process target process PID 2144 wrote to memory of 1752 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe RHddzbjDzlan.exe PID 2144 wrote to memory of 1752 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe RHddzbjDzlan.exe PID 2144 wrote to memory of 1752 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe RHddzbjDzlan.exe PID 2144 wrote to memory of 3912 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe xDWSpQhpOlan.exe PID 2144 wrote to memory of 3912 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe xDWSpQhpOlan.exe PID 2144 wrote to memory of 3912 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe xDWSpQhpOlan.exe PID 2144 wrote to memory of 2548 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe xaMrJcRMulan.exe PID 2144 wrote to memory of 2548 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe xaMrJcRMulan.exe PID 2144 wrote to memory of 2548 2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe xaMrJcRMulan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe"C:\Users\Admin\AppData\Local\Temp\1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe"C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe" 8 LAN2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe"C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe" 8 LAN2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe"C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe" 8 LAN2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exeFilesize
1.2MB
MD50ecf16ceba335bcdc023ab71472a247f
SHA160b08b42bc540491f978185c0a5e3a28dbda4364
SHA2561d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA5120e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
-
C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exeFilesize
1.2MB
MD50ecf16ceba335bcdc023ab71472a247f
SHA160b08b42bc540491f978185c0a5e3a28dbda4364
SHA2561d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA5120e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
-
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exeFilesize
1.2MB
MD50ecf16ceba335bcdc023ab71472a247f
SHA160b08b42bc540491f978185c0a5e3a28dbda4364
SHA2561d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA5120e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
-
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exeFilesize
1.2MB
MD50ecf16ceba335bcdc023ab71472a247f
SHA160b08b42bc540491f978185c0a5e3a28dbda4364
SHA2561d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA5120e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
-
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exeFilesize
1.2MB
MD50ecf16ceba335bcdc023ab71472a247f
SHA160b08b42bc540491f978185c0a5e3a28dbda4364
SHA2561d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA5120e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
-
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exeFilesize
1.2MB
MD50ecf16ceba335bcdc023ab71472a247f
SHA160b08b42bc540491f978185c0a5e3a28dbda4364
SHA2561d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA5120e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
-
C:\users\Public\RyukReadMe.htmlFilesize
620B
MD530216037d54b0c1d9509f6f0610c9007
SHA1963de1f69a00dce5a86e0307b0986e9f2f41f0b1
SHA256de79f986f67a452df6237e36fd3d31c87235dbfe8986eab7ffd3a2b598cf2474
SHA512ac0e568dbadbdee7a826dcce3f3f009da61b07cff24e2d9dfbc4972bf4b0a0a94cb1c6ddf050c416bf85bee4e5702c8bdf2c7efa0cfc5fc55a03283d6a06e2c6
-
memory/800-174-0x0000000000000000-mapping.dmp
-
memory/1752-139-0x0000000000000000-mapping.dmp
-
memory/1752-142-0x0000000002370000-0x0000000002396000-memory.dmpFilesize
152KB
-
memory/2144-130-0x0000000002390000-0x00000000023B6000-memory.dmpFilesize
152KB
-
memory/2144-138-0x0000000002360000-0x0000000002384000-memory.dmpFilesize
144KB
-
memory/2144-134-0x0000000035000000-0x000000003502B000-memory.dmpFilesize
172KB
-
memory/2548-161-0x0000000000000000-mapping.dmp
-
memory/2548-164-0x0000000002130000-0x0000000002156000-memory.dmpFilesize
152KB
-
memory/3848-173-0x0000000000000000-mapping.dmp
-
memory/3912-153-0x00000000026B0000-0x00000000026D6000-memory.dmpFilesize
152KB
-
memory/3912-150-0x0000000000000000-mapping.dmp