Overview

overview

10

Static

static

10

Ryuk .Net ...er.exe

windows7-x64

10

Ryuk .Net ...er.exe

windows10-1703-x64

10

Ryuk .Net ...er.exe

windows10-2004-x64

10

Ryuk .Net ...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ryuk .Net Ransomware Builder.exe

  • Size

    287KB

  • MD5

    b20d5ada2e81683bda32aa80cd71c025

  • SHA1

    1ab3daa872761d887ef0be9ace528ee323201211

  • SHA256

    0d8b4a07e91e02335f600332644e8f0e504f75ab19899a58b2c85ecb0887c738

  • SHA512

    94da5ae4e43e6b0fdc8d0a83d8a3f2991a47b6e12f6781cc6aecb2d8d97a2d0da6dc456e3618c1a36697862e1a7a50b27a036b3569f33889452fe921c6981d91

  • SSDEEP

    3072:GVgr8/vRx5cCPaEy3YxB+DV0Ugr8/vfx:GSrS/yKrS

Score
10/10
chaospersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\read_it.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 5 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ryuk .Net Ransomware Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Ryuk .Net Ransomware Builder.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftvommjl\ftvommjl.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78D8.tmp" "c:\Users\Admin\Desktop\CSCC1B1C8BAA9D4C3EAB8B273A81DA2D7B.TMP"
        3⤵
          PID:2520
    • C:\Users\Admin\Desktop\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          • Suspicious use of FindShellTrayWindow
          PID:2240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES78D8.tmp
      Filesize

      1KB

      MD5

      2053f4602584898e4adb8562aa843409

      SHA1

      f9c23e6f63c1149ccabd2c3035bd15e4ff3aa177

      SHA256

      2f3bf42c5b9cebdf0e987b35f173d17c289bb616c3d5c32c471632add0d7eb52

      SHA512

      81c35c850b623599cd34300c716b9abaa71e0b75f87ad1bcffcbb049660448ca63b08306df3fad141f87c57ec112ead90f3c4b2c02f92d96359e8876e01d4b6d

      Download Submit

    • C:\Users\Admin\Desktop\1.exe
      Filesize

      15KB

      MD5

      2e3b427154f3770d73a567a74311900e

      SHA1

      7d239a22a1de7d1690902fbbf4879fb9a79522b3

      SHA256

      30a6e5c9b5603dfd22c61ff23e18231ba88fd46cb53491c7078f2e4c6669776f

      SHA512

      4d866bd844e5411d856a8583029bb5912f0bab2aed3bb34b23bb54459ea325373c77b90d1fcd67ba91963293f8c3615c7572b8f05592c52d6aa77dafd16951af

      Download Submit

    • C:\Users\Admin\Downloads\read_it.txt
      Filesize

      877B

      MD5

      9814b140eb85668b095096dc0ac32702

      SHA1

      27e792330b4526b0f1ccb1eb212f9a80262353fd

      SHA256

      3d3a137cdf8a12a35f67451a8afead595b6281f3de271673606ee80a47de9eb0

      SHA512

      4caa4a28649dd76b4e845e928eb0893ad1a50cd4aaa6d58d3123303dcf07f42379171740a4d2c77ceb854b54c86f3c430ef6429bd5d10ad2b96fbcfef0a4fb13

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ftvommjl\ftvommjl.0.cs
      Filesize

      18KB

      MD5

      158456bd9ff760a8da3b189f5b1d2835

      SHA1

      9d058b9912746a53a44d910d528497c1c7c145d9

      SHA256

      360ebd343d86d333df49dfae46813385bdd524e70f435034d7941c37b35e1874

      SHA512

      5a4ff6b5c631ed52ecc74d73e37d3749c8920ab5fcdd0433a94580d8f3413769d2b26729d1d2cb5e0194cda9c258fd959f09f90a5e0cd6d9cfcb8c98456957a3

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ftvommjl\ftvommjl.cmdline
      Filesize

      327B

      MD5

      27e1c48b761185ee9410bb3eb6571b50

      SHA1

      84734e06e66a443b1bd90ab94c960d7572a7daab

      SHA256

      8cbe8a685289ab87701c07dd03dd42d2963e5da7f2a6f86ac17747d5214c88f2

      SHA512

      2487f7dba686f360b30b120438ff3f049ca4c581258d19aba61b00c901f89641d4975391f18931d3eb13070c0cbe207a085614c80439e2e459cc57ff7c86a864

      Download Submit

    • \??\c:\Users\Admin\Desktop\CSCC1B1C8BAA9D4C3EAB8B273A81DA2D7B.TMP
      Filesize

      1KB

      MD5

      3a9dbb57f6925b3d15a696aa9e2b4d5b

      SHA1

      4cb53fd8ef4184a31ddd44614550e2f59692da7e

      SHA256

      76f5c925f53b50b2d208f3914781906b9782a04e5f09842ddba2415fad3da54b

      SHA512

      9c3e2b4e0ad16e3dd5cbf9c1963f519364311a64b07e3c09223c2f3c87bdc01ec5f4a70818007976f3ab66aef6af49ea42cd509eaf1b6250db663ee197ae3169

      Download Submit

    • memory/1312-29-0x0000000000D80000-0x0000000000D8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2836-23-0x0000000001230000-0x000000000123A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2936-4-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2936-7-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2936-6-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2936-5-0x000000001F0F0000-0x000000001F100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2936-20-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2936-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2936-3-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2936-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2936-1-0x0000000000930000-0x000000000097E000-memory.dmp

      Filesize

      312KB

      Download