763f87c330f656f6ad258a660d920a4e633e79e2591a3def855d9444d24cbc8b

Analysis

max time kernel
7s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe
Size

206KB
MD5

785441d795ee886e64a262cb4128fa88
SHA1

7f44a811f375b0f1345fc899d87830dcb4c7b910
SHA256

763f87c330f656f6ad258a660d920a4e633e79e2591a3def855d9444d24cbc8b
SHA512

e5b2f6ee99519962c1f5f3bd98fffef2ae6b94d9b18e616746cc787b0e4092254af989680053732aae2c50e291db86146e25cbf56644afe8da8b23f5750691bb
SSDEEP

1536:QQNiHikoUR86gSEB47j9kY61YZVDbeLtoepdEgIbsW9d7B9dl23PQx0scIC:Rkot6FEBwrfVDmtoepG19VA3o6scIC

Score

9^/10

Malware Config

Signatures

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2464-1-0x00007FF738EF0000-0x00007FF739287000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

pid	process
440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe
440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe
440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe
440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

description pid process

Token: SeDebugPrivilege 440 2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

description	pid	process
Token: SeDebugPrivilege	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exenet.exenet.exenet.exe

description	pid	process	target process
PID 440 wrote to memory of 2464	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	sihost.exe
PID 440 wrote to memory of 4092	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	net.exe
PID 440 wrote to memory of 4092	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	net.exe
PID 4092 wrote to memory of 4008	4092	net.exe	net1.exe
PID 4092 wrote to memory of 4008	4092	net.exe	net1.exe
PID 440 wrote to memory of 1924	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	net.exe
PID 440 wrote to memory of 1924	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	net.exe
PID 440 wrote to memory of 2480	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	svchost.exe
PID 1924 wrote to memory of 2940	1924	net.exe	net1.exe
PID 1924 wrote to memory of 2940	1924	net.exe	net1.exe
PID 440 wrote to memory of 2848	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	net.exe
PID 440 wrote to memory of 2848	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	net.exe
PID 2848 wrote to memory of 4484	2848	net.exe	net1.exe
PID 2848 wrote to memory of 4484	2848	net.exe	net1.exe
PID 440 wrote to memory of 2720	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	taskhostw.exe
PID 440 wrote to memory of 3672	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	svchost.exe
PID 440 wrote to memory of 3860	440	2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2480

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_785441d795ee886e64a262cb4128fa88_ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:4008
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2464-0-0x00007FF738EF0000-0x00007FF739287000-memory.dmp

Filesize
3.6MB

Download
memory/2464-1-0x00007FF738EF0000-0x00007FF739287000-memory.dmp

Filesize
3.6MB

Download