ryuk | 92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed

Analysis

max time kernel
130s
max time network
115s
platform
windows10_x64
resource
win10v20210410
submitted
09-06-2021 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
Size

353KB
MD5

1737388ce8b0b5fc2dbc22f5b7352b7c
SHA1

e62135254b3a51f0180e70a11e4c3ad4a59f81c4
SHA256

92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed
SHA512

e47d6fe5049e3019dfb1161bfaf7038171dad39c657200c115cbc26f2be46ead92319e20e5e77e0e91ad93d17562090dda75efc5fb5fb22bef1d47df2aef657b

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3564	icacls.exe
1372	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\LINEAR_RGB.pf	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_fr.properties	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.INF	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INF	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RyukReadMe.html	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 1372	3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	78
PID 3176 wrote to memory of 1372	3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	78
PID 3176 wrote to memory of 1372	3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	78
PID 3176 wrote to memory of 3564	3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	79
PID 3176 wrote to memory of 3564	3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	79
PID 3176 wrote to memory of 3564	3176	92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe	79

C:\Users\Admin\AppData\Local\Temp\92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe
"C:\Users\Admin\AppData\Local\Temp\92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1372
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3176-116-0x0000000002020000-0x0000000002062000-memory.dmp

Filesize
264KB

Download
memory/3176-117-0x0000000076150000-0x0000000076312000-memory.dmp

Filesize
1.8MB

Download
memory/3176-115-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/3176-118-0x0000000076340000-0x0000000076431000-memory.dmp

Filesize
964KB

Download
memory/3176-114-0x0000000035000000-0x0000000035044000-memory.dmp

Filesize
272KB

Download