Overview

overview

10

Static

static

3

2023-08-22...JC.exe

windows7-x64

10

2023-08-22...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2023, 17:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-08-22_53ae3998779825da250ac4e5c81773dc_ryuk_JC.exe

  • Size

    3.4MB

  • MD5

    53ae3998779825da250ac4e5c81773dc

  • SHA1

    bcbe29e72f9b57451e33d441966d2d409bfd8ff2

  • SHA256

    35325555ffe7e72a77b0eb9141e1f257c653aba4ef587d94c5b5c5053b12829f

  • SHA512

    686b8b135f56fbc4bc43bd4bc92ff1fd3827b25aefce5404e695c0499071aa7767028ec7e5d02f59804ae0a1f09476915a6ff128880e9fea6652883139db69fd

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzM5:9n/

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-22_53ae3998779825da250ac4e5c81773dc_ryuk_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-22_53ae3998779825da250ac4e5c81773dc_ryuk_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2160

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini.exe
          Filesize

          3.4MB

          MD5

          8ec8646d8c7b9c698a9591a6124aa35b

          SHA1

          25f23d2fd2899f29db0b1343c15e589b0331d9ef

          SHA256

          b28665137beef485b4df85233a7b10598c64f8229ce5d8838b2f6c25e73b7d71

          SHA512

          1163f65634b990e0db34c8fa0e3f6ff89c3066dcbcf63471cbef0fa325b616da5cadb0adb6d31e5c97e060519aff83c1087f4f5462c9c7879fe3bb8ae55e42a2

          Download Submit

        • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
          Filesize

          4.2MB

          MD5

          af97549de3850d81a8a6a1769513e92b

          SHA1

          187f4b8b2d997e0b83a8d1f396584affaef527d0

          SHA256

          1e3ef7eb3196c5891a4287424a3584a7878249fcfb0b27957a576b1d973167c7

          SHA512

          010ad88aeaa4fe33ab44042af80bde491a9483dae2ce640e22fdfba37754221222ccb5389f08177e0e4322cac69440ed3b1d8080bc4be48fd98568bb2e254965

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          281f821218a23d3ad8cc344157427110

          SHA1

          efc972d5c1a27c9b63428eed31c9834192540684

          SHA256

          54d367d27c8ca5c30d91cddf86e65221466c32e26ca19af8beafd2170c2b6bf7

          SHA512

          6bd8b59a587520e3dfaa138908826502f5043bba6e64629cd2945555e82b9b92110d4fc9e56b3fb1826401bf5581e57dc58aac8c083bf0d6093639e1637dd4e4

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • memory/2160-0-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/2160-1-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2160-70-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/2160-75-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download