ryuk | 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8

Analysis

max time kernel
161s
max time network
133s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
Size

116KB
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2064	icacls.exe
408	icacls.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo_2x.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\CommonCapabilities.json	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2064	572	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	75
PID 572 wrote to memory of 2064	572	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	75
PID 572 wrote to memory of 2064	572	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	75
PID 572 wrote to memory of 408	572	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	77
PID 572 wrote to memory of 408	572	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	77
PID 572 wrote to memory of 408	572	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	77

C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
"C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2064
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads