Overview

overview

10

Static

static

ryuk.exe

windows7-x64

10

ryuk.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    8s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2022 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ryuk.exe

  • Size

    384KB

  • MD5

    5ac0f050f93f86e69026faea1fbb4450

  • SHA1

    9709774fde9ec740ad6fed8ed79903296ca9d571

  • SHA256

    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

  • SHA512

    b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

  • SSDEEP

    6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      PID:3280
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
        PID:3076
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
          PID:2744
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            PID:2448
          • C:\Windows\system32\sihost.exe
            sihost.exe
              PID:2408
            • C:\Users\Admin\AppData\Local\Temp\ryuk.exe
              "C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\users\Public\GvTYI.exe
                "C:\users\Public\GvTYI.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4208
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\GvTYI.exe" /f
                  • Suspicious use of WriteProcessMemory
                  PID:4904
                  • C:\Windows\system32\reg.exe
                    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\GvTYI.exe" /f
                    • Adds Run key to start application
                    PID:4816

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            00:00 00:00

            Downloads

            • C:\Users\Public\GvTYI.exe
              Filesize

              170KB

              MD5

              31bd0f224e7e74eee2847f43aae23974

              SHA1

              92e331e1e8ad30538f38dd7ba31386afafa14a58

              SHA256

              8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

              SHA512

              a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

              Download Submit
            • C:\users\Public\GvTYI.exe
              Filesize

              170KB

              MD5

              31bd0f224e7e74eee2847f43aae23974

              SHA1

              92e331e1e8ad30538f38dd7ba31386afafa14a58

              SHA256

              8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

              SHA512

              a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

              Download Submit
            • memory/2408-137-0x00007FF6A5670000-0x00007FF6A59FE000-memory.dmp
              Filesize

              3MB

              Download
            • memory/4208-132-0x0000000000000000-mapping.dmp
              Download
            • memory/4816-136-0x0000000000000000-mapping.dmp
              Download
            • memory/4904-135-0x0000000000000000-mapping.dmp
              Download