e23c765efdf5a2dad367a83efeeebc6ac53bdc4bbdc6c42cc2d9083379451b99

General

Target

NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
Size

21.5MB
MD5

27da99119d8e3861ce4ae256eaebc77c
SHA1

2e0af5f2e0ab966a223d4859fc74b72704163688
SHA256

e23c765efdf5a2dad367a83efeeebc6ac53bdc4bbdc6c42cc2d9083379451b99
SHA512

e8835a23ff94ea55d03a8dd64603e5c6c825a059b1902df7ad606f06228af284e51c5c5faccf88a52f806c4e19d6c6740755f88b8a4bd4441d1f374dc59f2c06
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMm:9nwngnwnBRp

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\W:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\X:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\Y:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\O:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\P:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\T:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\V:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\A:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\H:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\K:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\M:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\L:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\N:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\Q:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\R:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\E:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\G:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\I:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\J:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\S:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\U:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened (read-only)	\??\Z:	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2784	NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_27da99119d8e3861ce4ae256eaebc77c_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3425689832-2386927309-2650718742-1000\desktop.ini.exe

Filesize
21.5MB

MD5
9ddc9cd6f464c63f5670b74fa455a4c1

SHA1
0132916a311c1e4ebf5d38cc6e834915c7122dc2

SHA256
fc5a74b6d440612c392d08e4fb1405c40725de2a3706273f4015edb4c1b98177

SHA512
cd284702a5e0eade7057e16f0afd6e2eec05b65f169b2af77f919c457f365acea79822d36123122007325614fbd4e18b820d33ca4c2555e67b63330b28668f3c

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
22.3MB

MD5
53a83962f82f9f74aad7675b07945263

SHA1
9ae5d0f1034dec059fdef6487170b74892c1d918

SHA256
a50780bb44da9a35874c6a9b0c345568b63047dffc59eb798a6ed62b72e6dba9

SHA512
5132b49bd131b69656b69f67b826230afe3727a28ffb547c9888f005e1320269776e0a4159e8f61d28c0f169617e953e3d16d7876241cbb2d5e2048bed2a1b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
60a7cb3d5a40d827815c286bbc2f4460

SHA1
3d39e24c978cab43d168b92bac897eda14a6780a

SHA256
c4948a075606b689624137a29ea45101127ce14cc52aa9b1ecd0ba0f7ea0e0cc

SHA512
6f9ef8d56eecbc34cdddda90f3de820168c102e468901cba9e582a194f4f5e6daa165c1dd20235f3dc236b191476d53a21a8df0099185d7c1ed3b39b18d3ce1d

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/2784-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2784-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2784-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2784-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads