e301f19720af26914bd818e738f68ce7d1fa7ccdcd1cbe97b867e2bbf7fbe97e

Analysis

max time kernel
160s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
Size

21.6MB
MD5

036b5cf132e734762af8fbf07faf094a
SHA1

d71e385c7a3e808acfcf63f71291ba74c435b306
SHA256

e301f19720af26914bd818e738f68ce7d1fa7ccdcd1cbe97b867e2bbf7fbe97e
SHA512

bd4f1113e9f161edc2aed4c9816779b367bdb68e637178e37a3d26d7e17991b8872020e232c21dbe83485d3f19c19312a5c8a598dd07941834fc91169db04723
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMW:9nwngnwnBR/

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

Renames multiple (224) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\Y:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\G:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\O:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\P:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\Z:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\K:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\W:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\X:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\L:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\M:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\N:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\T:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\U:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\E:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\H:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\I:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\V:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\Q:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\S:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\A:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\B:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened (read-only)	\??\J:	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4712	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
4712	NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3125601242-331447593-1512828465-1000\desktop.ini.exe

Filesize
21.6MB

MD5
53e56505a047f95e4a306af08d0c63f8

SHA1
892be5e84cfd69d27dc69719931609476194367b

SHA256
59cbb41510417ada36fd6573d6ddb32213dbc0d1cd7657d300b60a18b3b173bd

SHA512
6dcdda6b804ee4b1b9be10419e5340a446183ea406e28b0ecfbd71ee5c62fcfb5613dfe8561c23ea1f055ada51dedb16113492053d29c6c874e15d7bce48d339

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
22.4MB

MD5
1c94f83fb8d6432a4e8b02e63261b25a

SHA1
b14e366c6f632862cb2746373c3467d0b72031f2

SHA256
8216b3eee1390c62fbf2b0d33f7a3f6ae8739ac50a5365797aa05379399eb008

SHA512
7d37b4bf934d87b6c342c9a544c314fe3d40a2523afd5e1a78090191ca057cb20d78da62c4618fb25be771b2d0b624c99bf3efea4002027c66012a355cc29628

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/4712-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4712-1-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4712-2-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4712-61-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download