ryuk | 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8

Analysis

max time kernel
150s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
10-07-2021 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
Size

116KB
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ReceiveSuspend.tiff	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File renamed	C:\Users\Admin\Pictures\ReceiveSuspend.tiff => C:\Users\Admin\Pictures\ReceiveSuspend.tiff.RYK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File renamed	C:\Users\Admin\Pictures\ResolveConvertTo.crw => C:\Users\Admin\Pictures\ResolveConvertTo.crw.RYK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File renamed	C:\Users\Admin\Pictures\UndoShow.tif => C:\Users\Admin\Pictures\UndoShow.tif.RYK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File renamed	C:\Users\Admin\Pictures\EditImport.raw => C:\Users\Admin\Pictures\EditImport.raw.RYK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File renamed	C:\Users\Admin\Pictures\ExpandConnect.tif => C:\Users\Admin\Pictures\ExpandConnect.tif.RYK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File renamed	C:\Users\Admin\Pictures\TestReceive.tif => C:\Users\Admin\Pictures\TestReceive.tif.RYK	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1324	icacls.exe
3152	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\AddSync.zip	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msador28.tlb	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare-2x.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3152	4092	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	79
PID 4092 wrote to memory of 3152	4092	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	79
PID 4092 wrote to memory of 3152	4092	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	79
PID 4092 wrote to memory of 1324	4092	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	81
PID 4092 wrote to memory of 1324	4092	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	81
PID 4092 wrote to memory of 1324	4092	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe	81

C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe
"C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3152
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads