Overview

overview

10

Static

static

7

0323b4326b...02.exe

windows7-x64

10

0323b4326b...02.exe

windows10-2004-x64

10

0898a80dc2...92.exe

windows7-x64

10

0898a80dc2...92.exe

windows10-2004-x64

10

0aaecf7f77...91.exe

windows7-x64

10

0aaecf7f77...91.exe

windows10-2004-x64

10

150e8ef3f1...02.exe

windows7-x64

7

150e8ef3f1...02.exe

windows10-2004-x64

7

23e95ba676...7f.exe

windows7-x64

10

23e95ba676...7f.exe

windows10-2004-x64

10

28e7dc4aeb...33.exe

windows7-x64

10

28e7dc4aeb...33.exe

windows10-2004-x64

350b0d6ae2...d7.exe

windows7-x64

1

350b0d6ae2...d7.exe

windows10-2004-x64

3

3a6ebac4f8...ca.exe

windows7-x64

10

3a6ebac4f8...ca.exe

windows10-2004-x64

10

3fe801df14...4f.exe

windows7-x64

10

3fe801df14...4f.exe

windows10-2004-x64

10

41367ad447...00.exe

windows7-x64

10

41367ad447...00.exe

windows10-2004-x64

10

48f4749f13...77.exe

windows7-x64

1

48f4749f13...77.exe

windows10-2004-x64

3

499d936c22...82.exe

windows7-x64

10

499d936c22...82.exe

windows10-2004-x64

10

4b5a6926ab...d1.exe

windows7-x64

3

4b5a6926ab...d1.exe

windows10-2004-x64

3

4bb0d8eb6b...81.exe

windows7-x64

10

4bb0d8eb6b...81.exe

windows10-2004-x64

5de3d5a337...ed.exe

windows7-x64

10

5de3d5a337...ed.exe

windows10-2004-x64

10

5e2b2fe65d...20.exe

windows7-x64

1

5e2b2fe65d...20.exe

windows10-2004-x64

1

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe

  • Size

    140KB

  • MD5

    75a3cf8ced873ee7bc415e27e108496b

  • SHA1

    ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

  • SHA256

    5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

  • SHA512

    7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

  • SSDEEP

    1536:HhwpMRUR8gpO3fM/CvmHWvW7l4y0RPG4UnmPqAibDe7bvjk/J0LcJQ6f8EPhQmGD:ZZi++b0Hb6bDIbvjkmwRPhuHmrOB

Score
10/10
ryukdiscoveryransomware

Malware Config

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Ryuk family
    ryuk
  • Renames multiple (86) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
    "C:\Users\Admin\AppData\Local\Temp\5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Local\Temp\qEiARbqfArep.exe
      "C:\Users\Admin\AppData\Local\Temp\qEiARbqfArep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:1804
    • C:\Users\Admin\AppData\Local\Temp\asoXNECVHlan.exe
      "C:\Users\Admin\AppData\Local\Temp\asoXNECVHlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2504
    • C:\Users\Admin\AppData\Local\Temp\BnMnUjFEflan.exe
      "C:\Users\Admin\AppData\Local\Temp\BnMnUjFEflan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2044
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1264
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1012
    • C:\Windows\SysWOW64\icacls.exe
      icacls "F:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK
    Filesize

    1024KB

    MD5

    0c43908b6d3fcc8232829073f86675e4

    SHA1

    aa720aa4ea724c2eae1ce5325c6828126c9051b5

    SHA256

    4076cebaa87b37943d78bb1d969bf7059494a303d53362f89ef61d54b5f07257

    SHA512

    49db8d800000a89fe5ff331b90493451f82a7764fd2db82aa97df469e3a637324682d4558d32fa46132bc0f49fd1df8e56b97da3dccbedf6dee46a91dbf7e10d

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
    Filesize

    960KB

    MD5

    5596e892c082cad84099249483a8805f

    SHA1

    199dee679aacba526cdd448aa0931800e4548bcd

    SHA256

    43637b26d1390768cb491b325a6cf5de5c8a6a32b4d276f161784df485e4bdbd

    SHA512

    280be7471c2b7753778d3bee40d93e1b280d0dc14b8c6beb38fa667c04f3d75fc433ca7aff551181fac50b97bbd3d6d4b1d6b3da63e092556d952cb39b93057f

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
    Filesize

    4KB

    MD5

    9c931b242ee9ffcc8f11e0cf3f352a17

    SHA1

    7d90754cb6a1cf576e158e15f057b3ac9fc6cc69

    SHA256

    b58e21fb865367dbe985f99fd9d5625d22ef1081d8606f774dd6dbb5716c7ddf

    SHA512

    0c39ff788b651188746faef4d1a0090467f00e2fb739bb9e1cc14fcd9da87976dbfbbeb4fc4a6ba283e40f66d14ed7eb575bcffd16fbee403e3c1b0de5134a72

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
    Filesize

    960KB

    MD5

    4c89dff443637b84011d10772ab10a2b

    SHA1

    e1e7393baaebd3254e35f31b59f7e9234c394e08

    SHA256

    1d763704f9ce405e4d112a7550de4dddd69320d1b43d37ad00d4369b0f752970

    SHA512

    830e1bc9c3116fc3a545cb92f921ea094980ac7b6154e22fd16d047545a3afbfd012e29b3b3d1ec527c7ede6603539c4d5b781548f32fa6127d1bc3887ec3f7c

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
    Filesize

    17KB

    MD5

    8bd79c629be7c9a4c17be0668ab9e41a

    SHA1

    5ef633835e2120afc81cb8b27a348f50afcdee00

    SHA256

    feb47bda30a3c7e7aec00dad9203fef7e49bb1e94c95d7052ec0c204954b24b6

    SHA512

    cda4164bcfbdf68b9f1b4a70e3b16ecdad2a9f9d8cb4e9625a45c50931d968320fa4dc5db78ac72018bd0bcb2c116bc58605df706e7cd4a10816f3704f04cea4

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    31KB

    MD5

    41b0006427b2224cb0987e1ad811073f

    SHA1

    85244d01ffe53dd2de7c036ea68a0c3a0df97c52

    SHA256

    8a91157dd04e5af550b716058cabde6a5dbd28d8a1b7c3f8d2a38b548a1317ee

    SHA512

    0b4c4377cfe800d6dfb8fd448fdc4c466d132a6173b3cc52b9a44914ca30759eff6208330fffaade3d2549855139cb4cd9612e79c6d3351790b21976f3e8a192

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
    Filesize

    699KB

    MD5

    ac47e6d0aa7d124b478e8406bbe534f5

    SHA1

    2cf9f02d7f6084b852d4281f05be9f0aebbfaa96

    SHA256

    51e329b0a4efa0a8b75c9f9715b0a05e00df6ecb33268988a560112b37926a79

    SHA512

    3c08b3faf55845aa822baf8f0f28478e39677211301a3d986355e21dd99757576df52a0aa2aa6fa55ede3c3559ca3ee77f24ef696ed68d1bb6be379e0c919287

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
    Filesize

    128KB

    MD5

    7f1276842b192de978f53a32d195abc1

    SHA1

    3926bff0c5c1f4fd23bcdc56d30e65d0b33a68d3

    SHA256

    1263c4457e86f0a9a91170af0553162595d54926e40faab89dd91131ce0a60f9

    SHA512

    4b86b863d3efa8a2c9f3a88ab1b1a97d91ce9d0de288ad54c882309439e2dd6c6daefcb68ab534780c2adc7a4634daa184cdb673fe3049baa731a89e9ca60d4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qEiARbqfArep.exe
    Filesize

    140KB

    MD5

    75a3cf8ced873ee7bc415e27e108496b

    SHA1

    ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

    SHA256

    5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

    SHA512

    7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\RyukReadMe.html
    Filesize

    1KB

    MD5

    2a9ba975c5ce7e8d6f553a49d746ee9c

    SHA1

    16fbba3702510dd6968409993435405b9e6eb2ae

    SHA256

    04c99bec6e100960aa418f631239bcad1e58ea153fcf672f8a55e4395fb904cf

    SHA512

    7bfb2dbfa1155be795165fc17b269be566f8210b5c1a562f75a1dc2742f00c909cef027a466780cf8d786c11d0475f7c76fb761bd6e0c5af73d2c58ff0620d25

    Download Submit