ryuk | 8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6

Analysis

max time kernel
150s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
30-03-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
Size

115KB
MD5

d736f4a3fc844b4a7e970b562fbeac85
SHA1

fdd13c9b9e6c0e07f1215780c4ab742627e57917
SHA256

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
SHA512

7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
3896	OUpqKMnHAlan.exe
184	zkXztNnCalan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4032	icacls.exe
2308	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4560	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeBackupPrivilege	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
Token: SeIncreaseQuotaPrivilege	4516	WMIC.exe
Token: SeSecurityPrivilege	4516	WMIC.exe
Token: SeTakeOwnershipPrivilege	4516	WMIC.exe
Token: SeLoadDriverPrivilege	4516	WMIC.exe
Token: SeSystemProfilePrivilege	4516	WMIC.exe
Token: SeSystemtimePrivilege	4516	WMIC.exe
Token: SeProfSingleProcessPrivilege	4516	WMIC.exe
Token: SeIncBasePriorityPrivilege	4516	WMIC.exe
Token: SeCreatePagefilePrivilege	4516	WMIC.exe
Token: SeBackupPrivilege	4516	WMIC.exe
Token: SeRestorePrivilege	4516	WMIC.exe
Token: SeShutdownPrivilege	4516	WMIC.exe
Token: SeDebugPrivilege	4516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4516	WMIC.exe
Token: SeRemoteShutdownPrivilege	4516	WMIC.exe
Token: SeUndockPrivilege	4516	WMIC.exe
Token: SeManageVolumePrivilege	4516	WMIC.exe
Token: 33	4516	WMIC.exe
Token: 34	4516	WMIC.exe
Token: 35	4516	WMIC.exe
Token: 36	4516	WMIC.exe
Token: SeBackupPrivilege	5004	vssvc.exe
Token: SeRestorePrivilege	5004	vssvc.exe
Token: SeAuditPrivilege	5004	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4516	WMIC.exe
Token: SeSecurityPrivilege	4516	WMIC.exe
Token: SeTakeOwnershipPrivilege	4516	WMIC.exe
Token: SeLoadDriverPrivilege	4516	WMIC.exe
Token: SeSystemProfilePrivilege	4516	WMIC.exe
Token: SeSystemtimePrivilege	4516	WMIC.exe
Token: SeProfSingleProcessPrivilege	4516	WMIC.exe
Token: SeIncBasePriorityPrivilege	4516	WMIC.exe
Token: SeCreatePagefilePrivilege	4516	WMIC.exe
Token: SeBackupPrivilege	4516	WMIC.exe
Token: SeRestorePrivilege	4516	WMIC.exe
Token: SeShutdownPrivilege	4516	WMIC.exe
Token: SeDebugPrivilege	4516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4516	WMIC.exe
Token: SeRemoteShutdownPrivilege	4516	WMIC.exe
Token: SeUndockPrivilege	4516	WMIC.exe
Token: SeManageVolumePrivilege	4516	WMIC.exe
Token: 33	4516	WMIC.exe
Token: 34	4516	WMIC.exe
Token: 35	4516	WMIC.exe
Token: 36	4516	WMIC.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe
Token: SeBackupPrivilege	3896	OUpqKMnHAlan.exe
Token: SeBackupPrivilege	184	zkXztNnCalan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 3896	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	78
PID 508 wrote to memory of 3896	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	78
PID 508 wrote to memory of 3896	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	78
PID 508 wrote to memory of 184	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	79
PID 508 wrote to memory of 184	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	79
PID 508 wrote to memory of 184	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	79
PID 508 wrote to memory of 2324	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	34
PID 508 wrote to memory of 2344	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	33
PID 508 wrote to memory of 1048	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	80
PID 508 wrote to memory of 1048	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	80
PID 508 wrote to memory of 1048	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	80
PID 508 wrote to memory of 484	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	82
PID 508 wrote to memory of 484	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	82
PID 508 wrote to memory of 484	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	82
PID 508 wrote to memory of 2512	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	29
PID 1048 wrote to memory of 1552	1048	net.exe	84
PID 1048 wrote to memory of 1552	1048	net.exe	84
PID 1048 wrote to memory of 1552	1048	net.exe	84
PID 484 wrote to memory of 1532	484	net.exe	85
PID 484 wrote to memory of 1532	484	net.exe	85
PID 484 wrote to memory of 1532	484	net.exe	85
PID 508 wrote to memory of 3252	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	22
PID 508 wrote to memory of 3264	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	21
PID 508 wrote to memory of 3456	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	14
PID 508 wrote to memory of 3760	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	20
PID 508 wrote to memory of 1652	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	86
PID 508 wrote to memory of 1652	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	86
PID 508 wrote to memory of 1652	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	86
PID 508 wrote to memory of 3996	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	87
PID 508 wrote to memory of 3996	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	87
PID 508 wrote to memory of 3996	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	87
PID 508 wrote to memory of 576	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	89
PID 508 wrote to memory of 576	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	89
PID 508 wrote to memory of 576	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	89
PID 508 wrote to memory of 804	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	90
PID 508 wrote to memory of 804	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	90
PID 508 wrote to memory of 804	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	90
PID 508 wrote to memory of 4032	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	91
PID 508 wrote to memory of 4032	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	91
PID 508 wrote to memory of 4032	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	91
PID 508 wrote to memory of 2308	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	99
PID 508 wrote to memory of 2308	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	99
PID 508 wrote to memory of 2308	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	99
PID 508 wrote to memory of 4028	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	94
PID 508 wrote to memory of 4028	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	94
PID 508 wrote to memory of 4028	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	94
PID 508 wrote to memory of 648	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	97
PID 508 wrote to memory of 648	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	97
PID 508 wrote to memory of 648	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	97
PID 648 wrote to memory of 4304	648	net.exe	102
PID 648 wrote to memory of 4304	648	net.exe	102
PID 648 wrote to memory of 4304	648	net.exe	102
PID 1652 wrote to memory of 4516	1652	cmd.exe	103
PID 1652 wrote to memory of 4516	1652	cmd.exe	103
PID 1652 wrote to memory of 4516	1652	cmd.exe	103
PID 3996 wrote to memory of 4560	3996	cmd.exe	104
PID 3996 wrote to memory of 4560	3996	cmd.exe	104
PID 3996 wrote to memory of 4560	3996	cmd.exe	104
PID 4028 wrote to memory of 4612	4028	cmd.exe	105
PID 4028 wrote to memory of 4612	4028	cmd.exe	105
PID 4028 wrote to memory of 4612	4028	cmd.exe	105
PID 508 wrote to memory of 25960	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	109
PID 508 wrote to memory of 25960	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	109
PID 508 wrote to memory of 25960	508	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	109

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3264

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3252

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2344

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
"C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508
- C:\Users\Admin\AppData\Local\Temp\OUpqKMnHAlan.exe
  "C:\Users\Admin\AppData\Local\Temp\OUpqKMnHAlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\zkXztNnCalan.exe
  "C:\Users\Admin\AppData\Local\Temp\zkXztNnCalan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:184
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:804
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Qÿ
  2⤵
  - Modifies file permissions
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4612
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4304
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Qÿ
  2⤵
  - Modifies file permissions
  PID:2308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:25960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:26508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:32068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:32272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:64868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:64920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-9-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/508-8-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download