Managed XDR

vtdl_1738672001_blbmx695 (Tinba, Ryuk) — malware analysis report

File info

Filename
vtdl_1738672001_blbmx695
File type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size
129 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
fa985dfa50048de3af7453f2f610aff55b497087
SHA256
fb727339ea9eeeaaefa931068eaafeea72aa894d86e9967d7dda0a0ff948544b
MD5
e4284abd44a8e3d2072d437a1a4095b6

Malwares

  • Tinba
  • Ryuk

Signatures

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 copies_utilities: Copies and runs system utility with different name
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1564.001 stealth_file: Creates hidden or system files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1070 stealth_window: A process created a hidden window

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 ransomware_files: Ransomware indicators detected Ryuk (creates keys and the instruction on how to unlock the files)
T1486 ransomware_files_2: Ransomware(s) Ryuk indicators detected (creates keys and the instruction on how to unlock the files)

Other

yara_rules: Static rules
ryuk: Detected Ryuk ransomware
executes_dropped_exe: Executes dropped exe files
creates_in_windows: Creates files in the Windows directory
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object

Related reports