72b95ace3c49e8d01a8ac419d3b60f509eeb19ea8269f4c1e7e9d4bc8d7ed07c

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe
Size

3.0MB
MD5

43c8bf767fb36d3f448c94196dfb53fb
SHA1

3c08f701682b44894460c9250f8fc857e17412e4
SHA256

72b95ace3c49e8d01a8ac419d3b60f509eeb19ea8269f4c1e7e9d4bc8d7ed07c
SHA512

5c7c13029c51f1db3f12e1198cbee2af3de854a4971e7c422f6f4f59c490a7f910716db9a5678304ded8ddadb8fa57420ca9a010b4fc6ed254e780f8ac48f834
SSDEEP

98304:KjczPu9LbmxCb6ib4WraIox9Xchfq9zbpGlOFngtMRMT:KjhBBWIox9XcAzNRgt1T

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe

Executes dropped EXE 2 IoCs

pid	Process
4056	Auto.exe
2644	StartAllBackCfg.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	StartAllBackCfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000234d7-124.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4056	Auto.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4056	Auto.exe
4056	Auto.exe
2644	StartAllBackCfg.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe
4056	Auto.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 4056	2292	2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe	82
PID 2292 wrote to memory of 4056	2292	2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe	82
PID 2292 wrote to memory of 4056	2292	2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe	82
PID 4056 wrote to memory of 2644	4056	Auto.exe	84
PID 4056 wrote to memory of 2644	4056	Auto.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Auto.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Auto.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackCfg.exe
    StartAllBackCfg.exe /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Auto.exe

Filesize
846KB

MD5
149034d4a5d59769062fb576f051d092

SHA1
8e4fce741e80828d4af046f1980186b7d652c0f6

SHA256
02213a2e40dd90a251b27566b7ffb25155368a418b67047096924aafec918cd9

SHA512
2b51f9c16db5947f9a6e822582b36da2e0d6eb74431a9f843c30a406ad3b1756324f0e3dc3e44525fb6dd832c2aa573ed678f5f71627f6d9362717c311bac809

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackCfg.exe

Filesize
3.3MB

MD5
ae74c5aa6b7054c312def92b2f33040c

SHA1
473b85b545c346b9ed5363b1c888a174942c5fed

SHA256
a322482b24b7f56f99fafb3940d5fa15a4bb55afe974a96077f36f074c5479fe

SHA512
4ec038b8862894d3f6a125f058ec8b5151d43631a18ea3761c182e7c3204e91ce5a1892a725cbc177d313e11c729bade9ce4495b290924492dd388a91d84548a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackX64.dll

Filesize
1017KB

MD5
a6a81f08a1663a47a0d413024be343ce

SHA1
fcce3280271ed9cfac17790e2e2b82f511d50c69

SHA256
053407612edcd7332f844b5802f6c739bba055e5433b7a77d27547c5205d4170

SHA512
07c14e20f635789e4cfa1b0d37c08ad7436525e685470f7aaf32d5b070d465d61b6d1a976d6073b1df084776f5cec086aece9eb7612745b1527d520e89ad2338

Download Submit
memory/2644-137-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download