ryuk | 0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779

Analysis

max time kernel
171s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-02-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Size

169KB
MD5

8d9db61a893f5919641a7b4005a78850
SHA1

fa768baedc9ca06f253ff993d2f4d0aee402959b
SHA256

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779
SHA512

cbc5f3ed290b1c7e8989cf820ec13d59af010b283cd66b76558953e786c9e867c5442e56331c49f8d084acd6af6792f0d57a7e234025b2cecc17c4151c85d0b4

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Token: SeBackupPrivilege	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Token: SeShutdownPrivilege	4988	svchost.exe
Token: SeCreatePagefilePrivilege	4988	svchost.exe
Token: SeShutdownPrivilege	4988	svchost.exe
Token: SeCreatePagefilePrivilege	4988	svchost.exe
Token: SeShutdownPrivilege	4988	svchost.exe
Token: SeCreatePagefilePrivilege	4988	svchost.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2280	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	28
PID 5024 wrote to memory of 2312	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	25
PID 5024 wrote to memory of 3332	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	85
PID 5024 wrote to memory of 3332	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	85
PID 5024 wrote to memory of 3332	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	85
PID 3332 wrote to memory of 3928	3332	net.exe	87
PID 3332 wrote to memory of 3928	3332	net.exe	87
PID 3332 wrote to memory of 3928	3332	net.exe	87
PID 5024 wrote to memory of 2432	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	26
PID 5024 wrote to memory of 384	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	88
PID 5024 wrote to memory of 384	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	88
PID 5024 wrote to memory of 384	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	88
PID 384 wrote to memory of 392	384	net.exe	90
PID 384 wrote to memory of 392	384	net.exe	90
PID 384 wrote to memory of 392	384	net.exe	90
PID 5024 wrote to memory of 744	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	36
PID 5024 wrote to memory of 3252	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	60
PID 5024 wrote to memory of 3348	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	38
PID 5024 wrote to memory of 3424	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	37
PID 5024 wrote to memory of 3516	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	39
PID 5024 wrote to memory of 3848	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	40
PID 5024 wrote to memory of 4052	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	57
PID 5024 wrote to memory of 1408	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	49
PID 5024 wrote to memory of 1480	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	48
PID 5024 wrote to memory of 2208	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	44
PID 5024 wrote to memory of 1512	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	84
PID 5024 wrote to memory of 624	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	95
PID 5024 wrote to memory of 624	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	95
PID 5024 wrote to memory of 624	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	95
PID 624 wrote to memory of 4776	624	net.exe	97
PID 624 wrote to memory of 4776	624	net.exe	97
PID 624 wrote to memory of 4776	624	net.exe	97
PID 5024 wrote to memory of 6484	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	101
PID 5024 wrote to memory of 6484	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	101
PID 5024 wrote to memory of 6484	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	101
PID 6484 wrote to memory of 6536	6484	net.exe	103
PID 6484 wrote to memory of 6536	6484	net.exe	103
PID 6484 wrote to memory of 6536	6484	net.exe	103
PID 5024 wrote to memory of 6752	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	104
PID 5024 wrote to memory of 6752	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	104
PID 5024 wrote to memory of 6752	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	104
PID 6752 wrote to memory of 6804	6752	net.exe	106
PID 6752 wrote to memory of 6804	6752	net.exe	106
PID 6752 wrote to memory of 6804	6752	net.exe	106
PID 5024 wrote to memory of 6992	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	107
PID 5024 wrote to memory of 6992	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	107
PID 5024 wrote to memory of 6992	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	107
PID 6992 wrote to memory of 7044	6992	net.exe	109
PID 6992 wrote to memory of 7044	6992	net.exe	109
PID 6992 wrote to memory of 7044	6992	net.exe	109
PID 5024 wrote to memory of 6496	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	113
PID 5024 wrote to memory of 6496	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	113
PID 5024 wrote to memory of 6496	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	113
PID 6496 wrote to memory of 6520	6496	net.exe	115
PID 6496 wrote to memory of 6520	6496	net.exe	115
PID 6496 wrote to memory of 6520	6496	net.exe	115

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2312

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2208

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
"C:\Users\Admin\AppData\Local\Temp\0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6536
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:7044
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6520

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4988-130-0x000001F897D20000-0x000001F897D30000-memory.dmp

Filesize
64KB

Download
memory/4988-131-0x000001F897F40000-0x000001F897F50000-memory.dmp

Filesize
64KB

Download
memory/4988-132-0x000001F89A440000-0x000001F89A444000-memory.dmp

Filesize
16KB

Download