Overview

overview

10

Static

static

URLScan

urlscan

10

https://ipfs.io/ipfs...

windows7_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-05-2022 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ipfs.io/ipfs/QmPN2XUEgBJN1rYB3AzhrtQEjuF3R3KQrZA9LZgdaicThH?filename=bethan_index.html

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FJZU34PA\bethan_index[1].html

Family

ryuk

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script src="https://kit.fontawesome.com/c2d4bde48d.js" crossorigin="anonymous"></script> <title id="pageTittle">Authenticating ...</title> <link id="faviconPage" rel="shortcut icon" href="favicon.ico" type="image/x-icon"> <style> /* OBFUSCATED BY CSSOBFUSCATOR.COM at 2022/04/04 13:55:43 */ [class~=allBlock], [class~=headerClass], [class~=pdfClass], [class~=dButton] { position: relative; } [class~=allBlock] { margin-top: 30px; } .detailBlock, [class~=allBlock] { margin-left: auto; } [class~=lds-ring] div { box-sizing: border-box; } body { font-family: Arial, Helvetica, sans-serif; } [class~=lds-ring] div { display: block; } * { padding-left: 0pt; } [class~=allBlock], .detailBlock { margin-right: auto; } .detailBlock, [class~=allBlock] { width: 337.5pt; } [class~=lds-ring] div { position: absolute; } [class~=lds-ring] div { width: 54px; } .detailBlock, [class~=allBlock] { display: flex; } * { padding-bottom: 0pt; } body { width: 100%; } [class~=dButton], .detailBlock, [class~=allBlock] { justify-content: center; } .detailBlock, [class~=allBlock] { flex-direction: column; } [class~=lds-ring] div { height: 40.5pt; } [class~=lds-ring] div { margin-left: .083333333in; } .detailBlock, [class~=allBlock] { align-items: center; } [class~=lds-ring] div { margin-bottom: .083333333in; } [class~=lds-ring] div { margin-right: .083333333in; } * { padding-right: 0pt; } body { background-color: #fff; } * { padding-top: 0pt; } * { margin-left: 0pc; } [class~=pdfClass] { height: 75pt; } [class~=pdfClass] { width: 90px; } [class~=pdfClass] { justify-self: center; } [class~=pdfClass] { margin-bottom: .208333333in; } [class~=pdfClass], .docNameClass, [class~=dButton] { cursor: pointer; } [class~=dButton] { background-color: #029115; } [class~=dButton] { color: white; } [class~=lds-ring] div { margin-top: .083333333in; } [class~=dButton] { padding-left: 11.25pt; } [class~=dButton] { padding-bottom: .9375pc; } [class~=dButton] { padding-right: 7.5pt; } [class~=dButton] { padding-top: .9375pc; } [class~=dButton] { width: 1.875in; } [class~=dButton] { border-radius: .3125pc; } *, [class~=dButton] { margin-bottom: 0pc; } [class~=dButton] { margin-left: 3.125pc; } [class~=lds-ring] div { border-left-width: .25pc; } [class~=lds-ring] div { border-bottom-width: .25pc; } [class~=lds-ring] div { border-right-width: .25pc; } [class~=dButton] { margin-right: 3.125pc; } [class~=dButton] { margin-top: 3.125pc; } * { margin-right: 0pc; } * { margin-top: 0pc; } [class~=dButton] { display: none; } .docNameClass { color: #6969d8; } .docNameClass { font-weight: 100; } .docNameClass { font-weight: bold; } [class~=headerClass] { top: 0in; } [class~=headerClass] { background-color: #00f; } [class~=headerClass] { height: 37.5pt; } [class~=headerClass] { width: 100%; } [class~=headerClass] { color: white; } * { outline: none; } [class~=headerClass] { display: flex; } [class~=lds-ring] div { border-top-width: .25pc; } [class~=headerClass] { justify-content: space-between; } [class~=textClass] { color: #2c2c2c; } [class~=textClass] { font-weight: 200; } [class~=lds-ring] div { border-left-style: solid; } [class~=textClass] { width: auto; } [class~=textClass] { text-justify: auto; } [class~=lds-ring] { display: inline-block; } [class~=lds-ring] { position: relative; } [class~=lds-ring] { width: 4.375pc; } [class~=lds-ring] div { border-bottom-style: solid; } [class~=lds-ring] div { border-right-style: solid; } [class~=lds-ring] { height: .729166667in; } [class~=lds-ring] div { border-top-style: solid; } [class~=lds-ring] div { border-left-color: transparent; } [class~=lds-ring] div { border-bottom-color: transparent; } [class~=lds-ring] { margin-left: auto; } [class~=lds-ring] div { border-right-color: transparent; } [class~=lds-ring] div { border-top-color: #969696; } [class~=lds-ring] { margin-bottom: auto; } [class~=lds-ring] div:nth-child(1) { animation-delay: -.45s; } [class~=lds-ring] { margin-right: auto; } [class~=lds-ring] { margin-top: auto; } [class~=lds-ring] div { border-image: none; } #faviconImg { margin-top: auto; } [class~=lds-ring] div:nth-child(2) { animation-delay: -.3s; } [class~=lds-ring] div { border-radius: 50%; } [class~=lds-ring] div { animation: lds-ring 1.2s cubic-bezier(.5, 0, .5, 1) infinite; } #faviconImg { margin-bottom: auto; } #faviconImg { margin-left: 3.75pt; } [class~=lds-ring] div:nth-child(3) { animation-delay: -.15s; } @keyframes lds-ring { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } [class~=profileLogo], [class~=sign-in-button]:hover, .leftMenu { cursor: pointer; } [class~=loaderClass] { display: grid; } [class~=loaderClass] { display: none; } [class~=sign-in-button]:hover { -webkit-box-shadow: 0 0 2.25pt .1875pc rgba(66, 133, 244, .3); } #passwordId { position: relative; } [class~=loaderClass]>* { margin-top: 22.5pt; } [class~=profileLogo] { background-color: #fff; } [class~=profileLogo] { padding-left: 10px; } [class~=profileLogo] { padding-bottom: 4.5pt; } [class~=profileLogo] { padding-right: .625pc; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { width: 100%; } [class~=profileLogo] { padding-top: .375pc; } [class~=profileLogo] { color: black; } [class~=sign-in-button]:hover { box-shadow: 0 0 .1875pc .03125in rgba(66, 133, 244, .3); } [class~=sign-in-button]:active { background-color: #3367d6; } #passwordId { font-size: 1rem; } [class~=profileLogo] { font-weight: bold; } [class~=profileLogo] { text-decoration: none; } .leftMenu { margin-right: .104166667in; } #passwordId { letter-spacing: .125pc; } .leftMenu { display: flex; } .leftMenu>* { margin-left: .3125in; } [class~=docName], .leftMenu>* { margin-bottom: auto; } [class~=docName], .leftMenu>* { margin-right: auto; } [class~=docName], .leftMenu>* { margin-top: auto; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-left-style: solid; } [class~=docName] { margin-left: 10px; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-bottom-style: solid; } [class~=sign-in-button]:active { transition: background-color .2s; } [class~=sign-in-button] [class~=content-wrapper] { height: 100%; } [class~=sign-in-button] img { width: 38px; } [class~=sign-in-button] [class~=content-wrapper] { border-left-width: .75pt; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-right-style: solid; } #passwordId, [class~=sign-in-button] [class~=content-wrapper] { border-top-style: solid; } [class~=topBlock] { display: grid; } [class~=topBlock] { width: auto; } [class~=topBlock] { justify-items: center; } [class~=sign-in-button] { margin-left: 7.5pt; } [class~=sign-in-button] { margin-bottom: 7.5pt; } [class~=sign-in-button] [class~=content-wrapper] { border-bottom-width: .75pt; } #passwordId { padding-left: 3.75pt; } [class~=sign-in-button] { margin-right: 7.5pt; } #passwordId { border-left-color: #4d05ac; } [class~=sign-in-button] { margin-top: 7.5pt; } #passwordId { border-bottom-color: #4d05ac; } [class~=sign-in-button] { display: inline-block; } [class~=sign-in-button] [class~=content-wrapper] { border-right-width: .75pt; } [class~=sign-in-button] img { height: .395833333in; } [class~=sign-in-button] { width: 2.65625in; } [class~=sign-in-button] [class~=content-wrapper] { border-top-width: .75pt; } [class~=sign-in-button] { height: .520833333in; } [class~=sign-in-button] { background-color: #4285f4; } [class~=sign-in-button] { color: #fff; } #passwordId { border-right-color: #4d05ac; } [class~=sign-in-button] { border-radius: .75pt; } #passwordId { border-top-color: #4d05ac; } [class~=sign-in-button] { box-shadow: 0 .020833333in .041666667in 0 rgba(0, 0, 0, .25); } [class~=sign-in-button] { transition: background-color .218s, border-color .218s, box-shadow .218s; } .loginSection { height: .416666667in; } .loginSection { display: flex; } [class~=passLabel] { padding-left: .052083333in; } [class~=passLabel] { padding-bottom: .052083333in; } #emailIdLable { margin-top: .0625in; } #emailIdLable { margin-left: 5px; } [class~=passLabel] { padding-right: .052083333in; } [class~=passLabel] { padding-top: .052083333in; } [class~=sign-in-button] [class~=content-wrapper] { border-left-color: transparent; } [class~=sign-in-button] img { margin-top: -5px; } #mainLoader, [class~=passLabel], #appleBG { position: relative; } [class~=showPass] { cursor: pointer; } [class~=sign-in-button] [class~=content-wrapper] { border-bottom-color: transparent; } [class~=emailEnder] { font-size: small; } [class~=sign-in-button] [class~=content-wrapper] { border-right-color: transparent; } [class~=emailEnder] { padding-top: 10px; } .loginForm { height: 4.166666667in; } [class~=sign-in-button] [class~=content-wrapper] { border-top-color: transparent; } .loginForm { width: 4.375in; } #emailIdLable { font-weight: bold; } #emailIdLable { font-size: 1rem; } [class~=sign-in-button] [class
Emails

class="textClass">anna.wilson@mtn.com</a>

wwilosn@yandex.com</a>
URLs

http-equiv="X-UA-Compatible"

https://google.com/404/domian-removed

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfs.io/ipfs/QmPN2XUEgBJN1rYB3AzhrtQEjuF3R3KQrZA9LZgdaicThH?filename=bethan_index.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2044
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.0.841302502\536074304" -parentBuildID 20200403170909 -prefsHandle 1200 -prefMapHandle 1192 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1276 gpu
        3⤵
          PID:1728
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.3.1632844764\1108614752" -childID 1 -isForBrowser -prefsHandle 1408 -prefMapHandle 1576 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 1120 tab
          3⤵
            PID:1556
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1292.13.171106252\1197924528" -childID 2 -isForBrowser -prefsHandle 2700 -prefMapHandle 2696 -prefsLen 6938 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1292 "\\.\pipe\gecko-crash-server-pipe.1292" 2712 tab
            3⤵
              PID:2284

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          60KB

          MD5

          b9f21d8db36e88831e5352bb82c438b3

          SHA1

          4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

          SHA256

          998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

          SHA512

          d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6f3a57709ac51725421b371d5683e3d8

          SHA1

          89a8ef577644a83888761e6f5c71e322e3e8c13a

          SHA256

          2fcd6ce4832e71cf8585b0697c871107ef76a2439f846e9d32a3464d59ddf374

          SHA512

          4fc44c01a507d406f43a22a8f89246467e02f2c8645466c76915ea6d046133654e8534c3c5b3b572f04645089fad6f5dc13f1282df22d1edaaa28216a87b78b6

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
          Filesize

          19KB

          MD5

          308da6295c2978b1e9d43dda9779d548

          SHA1

          b24db77ef7f4b04d20555e5fc262212d010166c5

          SHA256

          46bc2f247e1bdd9643159d9a973c8fde329cbbfa5c6de0a415b5c9143d2b2f90

          SHA512

          e85a3e1b9b8c2b25aab3f069d0856eb0bf034477c89201b333470008583825806b01fed3df699cf6f38677c86dbd57217a789412a1bd4cfb8a4b8d3cb04df42c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PYCVYJC3.txt
          Filesize

          603B

          MD5

          a4330a86d6f1cea603ecb98fd54d9ec2

          SHA1

          6ea8acdd082d8a49d8b0b917ff667eba931a2794

          SHA256

          1809361607256c64831e9e69c789e8ef9df36743da8e7e66ae62a9cbdf317a91

          SHA512

          473bd94a1f8447f13fcb2ed9135fe426ec97a4b76d46a05b82fd1637863469f6c0630770b6aa89280b7aa9858d02dee4e212af88a33d8ffa6d8c8c6c30006a03

          Download Submit