Analysis
-
max time kernel
8s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2023 12:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
RYUK RANSOMWARE.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
60 seconds
Behavioral task
behavioral2
Sample
RYUK RANSOMWARE.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
60 seconds
General
-
Target
RYUK RANSOMWARE.exe
-
Size
205KB
-
MD5
881db1945686533f06f6626da444a7b5
-
SHA1
776fff17a531a374d13a9e267db764e3463a4cfc
-
SHA256
c85fec6ed44bdfd54c5f37190ffad38919640064ce718045e228dca65f74ec7b
-
SHA512
639d684ab5a15a23355577d0c0e6cab29fe66596af5c5644a4fb258c3f65324c94f4c5fc4f76c7b7ac2ff0f15ffc69e98c279f59e8897e3db4e3ffaee2e96af6
-
SSDEEP
3072:30imLeE+6Kiei4VrJo6lxPJUVjIMaNhUv:LE+6Kt53oExlNh
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation RYUK RANSOMWARE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1096 RYUK RANSOMWARE.exe 1096 RYUK RANSOMWARE.exe 1096 RYUK RANSOMWARE.exe 1096 RYUK RANSOMWARE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1096 RYUK RANSOMWARE.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2412 1096 RYUK RANSOMWARE.exe 60 PID 1096 wrote to memory of 3736 1096 RYUK RANSOMWARE.exe 90 PID 1096 wrote to memory of 3736 1096 RYUK RANSOMWARE.exe 90 PID 1096 wrote to memory of 4020 1096 RYUK RANSOMWARE.exe 92 PID 1096 wrote to memory of 4020 1096 RYUK RANSOMWARE.exe 92 PID 3736 wrote to memory of 1644 3736 net.exe 94 PID 3736 wrote to memory of 1644 3736 net.exe 94 PID 1096 wrote to memory of 2424 1096 RYUK RANSOMWARE.exe 59 PID 4020 wrote to memory of 4724 4020 net.exe 96 PID 4020 wrote to memory of 4724 4020 net.exe 96 PID 1096 wrote to memory of 2524 1096 RYUK RANSOMWARE.exe 17 PID 1096 wrote to memory of 3484 1096 RYUK RANSOMWARE.exe 23 PID 1096 wrote to memory of 3728 1096 RYUK RANSOMWARE.exe 50
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3484
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2424
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\RYUK RANSOMWARE.exe"C:\Users\Admin\AppData\Local\Temp\RYUK RANSOMWARE.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:1644
-
-
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4724
-
-