23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
8s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ryuk.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d
SSDEEP

6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

GvTYI.exe

pid process

4208 GvTYI.exe

pid	process
4208	GvTYI.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ryuk.exeGvTYI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ryuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GvTYI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\GvTYI.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

GvTYI.exe

pid process

4208 GvTYI.exe
4208 GvTYI.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GvTYI.exe

description pid process

Token: SeDebugPrivilege 4208 GvTYI.exe

pid	process
4208	GvTYI.exe
4208	GvTYI.exe

description	pid	process
Token: SeDebugPrivilege	4208	GvTYI.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ryuk.exeGvTYI.execmd.exe

description	pid	process	target process
PID 2284 wrote to memory of 4208	2284	ryuk.exe	GvTYI.exe
PID 2284 wrote to memory of 4208	2284	ryuk.exe	GvTYI.exe
PID 4208 wrote to memory of 4904	4208	GvTYI.exe	cmd.exe
PID 4208 wrote to memory of 4904	4208	GvTYI.exe	cmd.exe
PID 4208 wrote to memory of 2408	4208	GvTYI.exe	sihost.exe
PID 4904 wrote to memory of 4816	4904	cmd.exe	reg.exe
PID 4904 wrote to memory of 4816	4904	cmd.exe	reg.exe
PID 4208 wrote to memory of 2448	4208	GvTYI.exe	svchost.exe
PID 4208 wrote to memory of 2744	4208	GvTYI.exe	taskhostw.exe
PID 4208 wrote to memory of 3076	4208	GvTYI.exe	svchost.exe
PID 4208 wrote to memory of 3280	4208	GvTYI.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2448

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2284

C:\users\Public\GvTYI.exe
"C:\users\Public\GvTYI.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\GvTYI.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\GvTYI.exe" /f
4⤵
- Adds Run key to start application
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\GvTYI.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\GvTYI.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/2408-137-0x00007FF6A5670000-0x00007FF6A59FE000-memory.dmp

Filesize
3.6MB

Download
memory/4208-132-0x0000000000000000-mapping.dmp

Download
memory/4816-136-0x0000000000000000-mapping.dmp

Download
memory/4904-135-0x0000000000000000-mapping.dmp

Download