ryuk | a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458

Analysis

max time kernel
151s
max time network
48s
platform
windows10_x64
resource
win10v20210408
submitted
15-05-2021 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe
Size

443KB
MD5

132b243229390d9edfa25566894c5010
SHA1

a040ad72525fea4e93920889dd90395bbe29d5dd
SHA256

a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458
SHA512

fb9876deb950d1e06ace48c024e6cd9aa1722002db606cdbc5e629309dcf4870a836c963d030273a8ffaa29bc8db33c512255e51c92d72f9d9b5420122db2aa2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
216	HFIto.exe

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\Saved Pictures\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\OneDrive\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessibility\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\Camera Roll\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Windows PowerShell\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\System Tools\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	HFIto.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini	HFIto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
216	HFIto.exe
216	HFIto.exe
216	HFIto.exe
216	HFIto.exe
216	HFIto.exe
216	HFIto.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	216	HFIto.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 216	688	a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe	78
PID 688 wrote to memory of 216	688	a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe	78
PID 216 wrote to memory of 2168	216	HFIto.exe	79
PID 216 wrote to memory of 2168	216	HFIto.exe	79
PID 2168 wrote to memory of 4136	2168	net.exe	81
PID 2168 wrote to memory of 4136	2168	net.exe	81
PID 216 wrote to memory of 4188	216	HFIto.exe	82
PID 216 wrote to memory of 4188	216	HFIto.exe	82
PID 4188 wrote to memory of 4416	4188	net.exe	84
PID 4188 wrote to memory of 4416	4188	net.exe	84
PID 216 wrote to memory of 27464	216	HFIto.exe	86
PID 216 wrote to memory of 27464	216	HFIto.exe	86
PID 27464 wrote to memory of 27560	27464	net.exe	88
PID 27464 wrote to memory of 27560	27464	net.exe	88
PID 216 wrote to memory of 51072	216	HFIto.exe	90
PID 216 wrote to memory of 51072	216	HFIto.exe	90
PID 51072 wrote to memory of 51232	51072	net.exe	92
PID 51072 wrote to memory of 51232	51072	net.exe	92

C:\Users\Admin\AppData\Local\Temp\a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe
"C:\Users\Admin\AppData\Local\Temp\a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:688
- C:\users\Public\HFIto.exe
  "C:\users\Public\HFIto.exe" C:\Users\Admin\AppData\Local\Temp\a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:4136
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4416
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:27464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:27560
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:51072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:51232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads