ryuk | 2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357

General

Target

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Size

122KB
MD5

268c8c879f67be89dbb020bf0844d9e0
SHA1

631ae3e5bb0b791c2926829a00e99154c94621c9
SHA256

2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357
SHA512

047ddf54dc13b455528ec3370e02c0ca006bd86b207a6b7dabb86390f0dcf7d194196876fdf44a6e6556a6b32210e71edb2889ff1071fb899795e6373d75fb52

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 15 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\Saved Pictures\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\Camera Roll\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	sihost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	sihost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
192	3828	WerFault.exe	18

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe
192	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeDebugPrivilege	192	WerFault.exe
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeBackupPrivilege	2312	sihost.exe
Token: SeBackupPrivilege	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE
2832	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 2312	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	33
PID 3256 wrote to memory of 2328	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	32
PID 3256 wrote to memory of 2472	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	29
PID 3256 wrote to memory of 2832	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	21
PID 3256 wrote to memory of 3312	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	12
PID 3256 wrote to memory of 3324	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	20
PID 3256 wrote to memory of 3544	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	19
PID 3256 wrote to memory of 3828	3256	2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe	18

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3828 -s 836
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:192

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3324

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
- C:\Users\Admin\AppData\Local\Temp\2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\2a0044c9599a21c45ca22f9abd1e8a3093b3c4046b328968c949a651e6f70357.sample.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3256

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2328

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-114-0x00007FF687930000-0x00007FF687CB1000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing