67f2146b105752242e67f8385a63baa06349fc73a1489ff4f2fb097e01fe7752

General

Target

2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
Size

4.1MB
MD5

326c65bdd7b5705d5b44c26d3cb5df72
SHA1

341d5211d4dbc6ec202b1212efd9bb38b9da1ea6
SHA256

67f2146b105752242e67f8385a63baa06349fc73a1489ff4f2fb097e01fe7752
SHA512

61cd89c9143d3985bff30a55340a1d28d11ae6909a71a0629a9e2704b8c94e2fbd9672bc26bb7e912987eeec4cfc8e543963807b50a5b6f6374968018516be34
SSDEEP

98304:R1Q9qZFSd9o31ZlZP9ybmBCTauIejZc3j20L8ghQLj9INDwhPBlsR2Yv1sTF+:R1Q8yS1LxQbmkVjZczjL8ghQxIBwhPBw

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001445e-42.dat	UPX
behavioral1/memory/2440-46-0x000000013F760000-0x0000000141580000-memory.dmp	UPX

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startpa.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startpa.bat	xcopy.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	sacoxxion.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e00000001445e-42.dat	upx
behavioral1/memory/2440-46-0x000000013F760000-0x0000000141580000-memory.dmp	upx

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Experience\sacoxxion.exe	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File created	C:\Program Files\Experience\copy.bat	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File opened for modification	C:\Program Files\Experience\copy.bat	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File opened for modification	C:\Program Files\Experience\sonis.vbs	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File created	C:\Program Files\Experience\sonis.bat	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File opened for modification	C:\Program Files\Experience	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File created	C:\Program Files\Experience\__tmp_rar_sfx_access_check_259409382	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File created	C:\Program Files\Experience\startpa.bat	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File opened for modification	C:\Program Files\Experience\startpa.bat	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File opened for modification	C:\Program Files\Experience\sonis.bat	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File opened for modification	C:\Program Files\Experience\sacoxxion.exe	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
File created	C:\Program Files\Experience\sonis.vbs	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2528	2980	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe	28
PID 2980 wrote to memory of 2528	2980	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe	28
PID 2980 wrote to memory of 2528	2980	2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe	28
PID 2528 wrote to memory of 2544	2528	cmd.exe	30
PID 2528 wrote to memory of 2544	2528	cmd.exe	30
PID 2528 wrote to memory of 2544	2528	cmd.exe	30
PID 2528 wrote to memory of 2552	2528	cmd.exe	31
PID 2528 wrote to memory of 2552	2528	cmd.exe	31
PID 2528 wrote to memory of 2552	2528	cmd.exe	31
PID 2552 wrote to memory of 2392	2552	WScript.exe	32
PID 2552 wrote to memory of 2392	2552	WScript.exe	32
PID 2552 wrote to memory of 2392	2552	WScript.exe	32
PID 2392 wrote to memory of 2440	2392	cmd.exe	34
PID 2392 wrote to memory of 2440	2392	cmd.exe	34
PID 2392 wrote to memory of 2440	2392	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_326c65bdd7b5705d5b44c26d3cb5df72_ryuk.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Program Files\Experience\copy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\xcopy.exe
    xcopy startpa.bat "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\". /Y
    3⤵
    - Drops startup file
    PID:2544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Experience\sonis.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Program Files\Experience\sonis.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Program Files\Experience\sacoxxion.exe
        
        sacoxxion.exe --algo ETHASH --pool eth-eu1.nanopool.org:9999 --user 0xeae5175fb5540a1af967d771f51f1ee98da1f56a.76k27458 --watchdog exit
        5⤵
        Executes dropped EXE
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Experience\copy.bat

Filesize
159B

MD5
2dd4abbc80f6872a9ff790fb8c386d73

SHA1
90d6aebca9dd4a60434615ae22910d027a2e5dba

SHA256
7a92b29d1038a500e797967550f391ed891ad3825277787a4a8df885c1d3e089

SHA512
c25b1df67e3bb75deea2f0dea38889b446f10399bb579ff9074d70dc392a154bacce446f3bde2f1687a138f792ca63f37b684896893e5430e06f904b211b5c53

Download Submit
C:\Program Files\Experience\sonis.bat

Filesize
563B

MD5
833a2c860fdf2b32ec21c9df5898ece9

SHA1
f9beaabb06163c9d8f088cd481a250222e4a1b37

SHA256
f2d67722f264c9d6fad204374cc98d11d839091f059020a9374b2218f7fbd4e5

SHA512
5efe6c38315fa76e0993dc8bb76a36668267a5a2332a62a37d9066e2dcce4086ace8a4d236356c29fdf9c561959795ec645f6dde54dd4732a527bcc895ad7681

Download Submit
C:\Program Files\Experience\sonis.vbs

Filesize
146B

MD5
9b4cc2a7bdaf9f3334895252541836f2

SHA1
0917ac80fea0e6b3e01e5f6db250cdbf4d917dc6

SHA256
cdcad660c9431f615a4a2621d4f81be16894d2233e84116347f79220c241f2e5

SHA512
5db9d56b94959f34657e1beab2467964eaf787e45da48f8da009a90c4d220370e815482ad92b55d908c4c9f57cf9f87aa6a653eb9fda9702f2544fe94841bdbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startpa.bat

Filesize
49B

MD5
fe3326c6adf9b1527298d290286e77c2

SHA1
d6b81a6e7c87a4046fa3101dad584cf7e4675e99

SHA256
32889c35fc0642f2be2a7a0106f163ee2e7889c5710d1f372ed1ee679d3a3713

SHA512
e283a1a7dd565e7f8636bd85529551d80a512d22eeb07693aae82501be265057d63e71886353afd34559ad6b9268b99054793f9d5bbc205ea44e5bacc88f903d

Download Submit
\Program Files\Experience\sacoxxion.exe

Filesize
3.7MB

MD5
3c9dcc91e05dc05a01fff739e40474d7

SHA1
4958788d0d3f4bdd7410669da6b8d66c642b0551

SHA256
6dd7b3d944595429136366b908fd18d3cac315c6f1453dd4cb5bcafa9e9a95a6

SHA512
f6fbe0bf4c71e6bda658d42b0bae94b51da6bf44ec813c070b7a74c7243f277ca0749b37dcd48a71e42295f7ade9f2384e6a69711cbb2dcbd732c0a4c7934d0f

Download Submit
memory/2392-45-0x000000013F760000-0x0000000141580000-memory.dmp

Filesize
30.1MB

Download
memory/2392-48-0x000000013F760000-0x0000000141580000-memory.dmp

Filesize
30.1MB

Download
memory/2440-46-0x000000013F760000-0x0000000141580000-memory.dmp

Filesize
30.1MB

Download

Analysis

Sharing