Overview

overview

7

Static

static

3

2024-11-21...uk.exe

windows7-x64

7

2024-11-21...uk.exe

windows10-2004-x64

Analysis

  • max time kernel
    0s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_852656b9342fa5b987d15b6c01565e60_cova_ryuk.exe

  • Size

    577KB

  • MD5

    852656b9342fa5b987d15b6c01565e60

  • SHA1

    2a1404ccf09e8c9e616e9f4039d9b98a2e0fa2c8

  • SHA256

    d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab

  • SHA512

    68eb9f0b61477978a583b8b5a8b2f3dbd51f7e5c23f6d96a4aec218c64ef5efa6db7be7fd3b7010fcf20607a1ca51cb6689b4e66b1f85e34bfdbedc0739d214d

  • SSDEEP

    12288:nctEagGmcl4gBF1BRnI6hAVebOe1AFdMpUrMZ9uEIZc0b:aR+cl7X1BRnI6hmebOe1AbHWuEIZcW

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_852656b9342fa5b987d15b6c01565e60_cova_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_852656b9342fa5b987d15b6c01565e60_cova_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Encrypt.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\system32\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Wiper /t REG_SZ /d "Recovery Files Setup.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1740
      • C:\Users\Admin\AppData\Local\Temp\Petya.A.exe
        Petya.A.exe
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Encrypt.bat
    Filesize

    169B

    MD5

    344bc51e1d3e088464dd0e8b943f4810

    SHA1

    cc78eaf52c35f5b0cc505d5813c0f7dbee659bf5

    SHA256

    5e48229b6cf85c11af6d3d740854cd3e4595dd4fec007f0d0e770401c8208002

    SHA512

    6e84e4a0fc81e23327ac12bbc1b98123a336071b658acadf861f8b44179280d1a4bdf6fa6356f75d3685c544b7db14b3f05b3887a62a0f3a9313afe6f9ed53c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Petya.A.exe
    Filesize

    225KB

    MD5

    af2379cc4d607a45ac44d62135fb7015

    SHA1

    39b6d40906c7f7f080e6befa93324dddadcbd9fa

    SHA256

    26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

    SHA512

    69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

    Download Submit

  • memory/1712-22-0x000000000041A000-0x0000000000427000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1712-23-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download