Overview

overview

10

Static

static

3

2023-04-24...uk.exe

windows7-x64

10

2023-04-24...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2023 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

  • Size

    3.1MB

  • MD5

    d0cceb5de3b6abf673d4939e7383d129

  • SHA1

    12f9befb0b50b188c5c6067b3f0079864ae16c56

  • SHA256

    9673fd7dd5945f643996dd58e2ff4a178f536a8f69ad17d29b47319728a8ec67

  • SHA512

    44b63cc1a990385e54676f428d944fe2cb9b8accde7e887103279f809950cefd975cc561365cec59846905497b15c4cd436cd8cf8de50e019ff296ecdc8cafff

  • SSDEEP

    12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCz:eEtl9mRda12sX7hKB8NIyXbacAfY

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini.exe
    Filesize

    3.1MB

    MD5

    33e721defb78250a277d71689433d6a8

    SHA1

    f0b91afedbf197c0cacf232f44c8782c3375d728

    SHA256

    72a7aa49e32317c792ee75847ac740d5717a781b11bd244f5755c50c1e06a5bd

    SHA512

    c198eb84f55a9a3d80791bbfc486104b9757868af45d81411385ac771a6e35a1907ec5a7520a537e158e800a017a78a2573406de1370d97f1a4b4115aa5d0dbc

    Download Submit

  • C:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
    Filesize

    3.9MB

    MD5

    dc6bcbbd7e66222c44c7a9ebed6987b3

    SHA1

    e66929a5cb342d613224899dde31a4d3540f26c8

    SHA256

    c422d202483c5a0b2340ae183b905202615a960107985254ab59044247847cba

    SHA512

    bb43f44e9f8d8d8d9196d67c5e70d892013d89791c398bf7c51501202b1c283cf84d32a6b8d739006eb64d60ea329bddb10f93e6ea2c57c57ad2744156a560a9

    Download Submit

  • memory/4876-133-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4876-140-0x00000000021C0000-0x00000000021C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4876-368-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download