ryuk | 92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed

Analysis

max time kernel
144s
max time network
154s
platform
windows7_x64
resource
win7v20210410
submitted
09-06-2021 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
Size

353KB
MD5

1737388ce8b0b5fc2dbc22f5b7352b7c
SHA1

e62135254b3a51f0180e70a11e4c3ad4a59f81c4
SHA256

92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed
SHA512

e47d6fe5049e3019dfb1161bfaf7038171dad39c657200c115cbc26f2be46ead92319e20e5e77e0e91ad93d17562090dda75efc5fb5fb22bef1d47df2aef657b

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
660	icacls.exe
764	icacls.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 660	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	29
PID 864 wrote to memory of 660	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	29
PID 864 wrote to memory of 660	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	29
PID 864 wrote to memory of 660	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	29
PID 864 wrote to memory of 764	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	30
PID 864 wrote to memory of 764	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	30
PID 864 wrote to memory of 764	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	30
PID 864 wrote to memory of 764	864	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	30

C:\Users\Admin\AppData\Local\Temp\92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
"C:\Users\Admin\AppData\Local\Temp\92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:660
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-60-0x0000000035000000-0x0000000035044000-memory.dmp

Filesize
272KB

Download
memory/864-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/864-62-0x00000000754D0000-0x000000007557C000-memory.dmp

Filesize
688KB

Download
memory/864-63-0x0000000077070000-0x00000000770B7000-memory.dmp

Filesize
284KB

Download
memory/864-65-0x00000000757B0000-0x00000000757E5000-memory.dmp

Filesize
212KB

Download
memory/864-66-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/864-68-0x0000000001BB0000-0x0000000001BF2000-memory.dmp

Filesize
264KB

Download
memory/864-69-0x0000000075010000-0x0000000075022000-memory.dmp

Filesize
72KB

Download
memory/864-71-0x0000000075810000-0x000000007596C000-memory.dmp

Filesize
1.4MB

Download
memory/864-73-0x0000000074FF0000-0x000000007500C000-memory.dmp

Filesize
112KB

Download