8bb85f0d40f0cd512cd45e0ef64410c35c212b62c9d2f5aa8e34efea550c0da6

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe
Size

3.2MB
MD5

535ccf48b23aa7cb594f9e20b227b613
SHA1

e319c9be05bcde4a7ef0e069118d59b79a71f8ad
SHA256

8bb85f0d40f0cd512cd45e0ef64410c35c212b62c9d2f5aa8e34efea550c0da6
SHA512

1114ab4f533cd6af378e49e893664472bc033b5a3d18851e8a7c6aaf232675eda7108b81849e55386fb2e1c7a63c06babbce39bec4a872bcf67dfda57b5a0c20
SSDEEP

98304:9E2R1IMp4MMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJr:9nzIg

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4708	HelpMe.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.exe	HelpMe.exe
File created	C:\Program Files\ExportApprove.shtml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\History.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4708	HelpMe.exe
4708	HelpMe.exe
4988	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe
4988	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4708	4988	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe	84
PID 4988 wrote to memory of 4708	4988	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe	84
PID 4988 wrote to memory of 4708	4988	2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe	84

C:\Users\Admin\AppData\Local\Temp\2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-10_535ccf48b23aa7cb594f9e20b227b613_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini.exe

Filesize
2.4MB

MD5
ac0543bfad327cd05468eceb1aba6deb

SHA1
c47931b2d0ca6b7092b0637f4a84fa37488a3b7f

SHA256
453a63a777090fd70b4f0ed5bdb9c0383f34ebfc7ff6b35f23ba2c228842f642

SHA512
c20d25983de6f099c7b7f8aa155ceee349f5149a1fcea84ad3af1c74d3f68a0cc076088f6eb1235e77917fa0e78ecd8760e3c330d0a59028622d2f7f06e05383

Download Submit
C:\AUTORUN.INF

Filesize
119B

MD5
0262861fd52ad31f48a2932e6c0a1104

SHA1
c05081f0e7d8ad87b9046040eb3e43938a3b95ce

SHA256
a70f131629a437d5e69e388eb964d86e41054ecd1a85ad54c05b54785556d387

SHA512
e8770bdb92e002259e30fc207daf827bb81a1504334620ca5f800f38d49b393c9204bf7c75b240c80eb096e52153e23a044eb872e183fdb9d11006f7ef3aaeca

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
3.2MB

MD5
f7a679b22717f7482639b7fb9ccb0d64

SHA1
10379e5c9a88a1fbc07640b30adf65c52747a576

SHA256
ec51bcd8438d8223b4205b5a4bff1ba684d31925b9a7d15c93ae77adad4e43d4

SHA512
7c660eaad78ff01da6bb4469a172a306727c21794d1f494a8c59b0b05f55869384df5822bf2fa5a3cf617a7b8980bd84b98097f75f70eecc068867b3ea9e4a2e

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
4.0MB

MD5
844b3dfdf8d032129fe1543363f3a8d8

SHA1
276b67e65284a29fadcbb77d7a1d1ee1c4651767

SHA256
4db8e665bb1fbe780a41744fb22a035a8a9540d52376ae34e3b5d10cff13b3f8

SHA512
050fd66d3370a09d8bc9c8a41dafa6b787068966e8764ce1d0180f2e1b16194b74ddf0d8e05e14019d84498ca5e520a5d44401ccd75bad2a9eab259aea7c1607

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
3.4MB

MD5
fd39eace150e619ae5c6c72323e62b78

SHA1
410363aaa906366e1e9aeb0b04e99c4da341b68f

SHA256
c2992ef8d60402afa09f30877df6df9f82b257987a1405feec5a9a75b162f5c5

SHA512
5977b7e44d2e5feeb8970df121731291a525d20de5eb2f82296ef99f12abc5378478d7adb589c75d4f1ca868018aaa4c050a33ce6587c0068bdf0e2092cdeb6c

Download Submit
memory/4708-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4708-382-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4708-149-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4988-147-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4988-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4988-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download