Managed XDR

473bcbcba12296b08b765b...15c1006af28f6172e8.exe (Ryuk) — malware analysis report

File info

Filename: 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 116.5 KB
First seen: 2024-09-09 14:16
Last seen: 2025-05-15 06:18

Environment

win7/x86 en

Hashes

SHA1: eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256: 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
MD5: 5c6273b024c93c5bdf557813868f9337

Malwares

Ryuk

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1222 icacls: May obtain or change Discretionary access control lists (DACLs)

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets

T1552 infostealer_mail: Collects personal data from local email clients

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Collection

T1114 infostealer_mail: Collects personal data from local email clients

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Impact

T1486 modifies_files2: Cryptolocker indicators detected (500 or more files are modified)

T1486 modifies_files: Cryptolocker indicators detected (renamed 500 or more files)

T1486 ransomware_files: Ransomware indicators detected Ryuk (creates keys and the instruction on how to unlock the files)

T1486 ransomware_extensions: Ransomware(s) Ryuk indicators detected (specific extension is added to files)

T1486 ransomware_files_2: Ransomware(s) Ryuk indicators detected (creates keys and the instruction on how to unlock the files)

T1486 mass_data_encryption: Encrypts data using the same key (possible ransomware behaviour)

Other

yara_rules: Static rules

ryuk: Detected Ryuk ransomware

creates_in_programdata: Creates files in the ProgramData directory

writes_data: Writes big amount of data to disk