ryuk | 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

General

Target

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
Size

192KB
MD5

38df8a5c21f7df368490f8a0a0e276f9
SHA1

564641f0da5a9365a748a9589535f3b9439e5cc9
SHA256

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c
SHA512

2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

ashpkCg.exe

pid process

2068 ashpkCg.exe

pid	process
2068	ashpkCg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ashpkCg.exe08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	ashpkCg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.270820"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.544384"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899098677755890"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4160"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4260"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exeashpkCg.exe

pid	process
1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
2068	ashpkCg.exe
2068	ashpkCg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exeashpkCg.exe

description	pid	process
Token: SeBackupPrivilege	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
Token: SeBackupPrivilege	2068	ashpkCg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exeashpkCg.exe

description	pid	process	target process
PID 1740 wrote to memory of 2068	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	ashpkCg.exe
PID 1740 wrote to memory of 2068	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	ashpkCg.exe
PID 1740 wrote to memory of 2068	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	ashpkCg.exe
PID 1740 wrote to memory of 3084	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 3084	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 3084	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 1116	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 1116	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 1116	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 1132	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 1132	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 1132	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 452	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 452	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1740 wrote to memory of 452	1740	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 2068 wrote to memory of 3300	2068	ashpkCg.exe	net.exe
PID 2068 wrote to memory of 3300	2068	ashpkCg.exe	net.exe
PID 2068 wrote to memory of 3300	2068	ashpkCg.exe	net.exe
PID 2068 wrote to memory of 3852	2068	ashpkCg.exe	net.exe
PID 2068 wrote to memory of 3852	2068	ashpkCg.exe	net.exe
PID 2068 wrote to memory of 3852	2068	ashpkCg.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
"C:\Users\Admin\AppData\Local\Temp\08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\ashpkCg.exe
"C:\Users\Admin\AppData\Local\Temp\ashpkCg.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
PID:3300

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:3852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:1116

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3084

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ashpkCg.exe
MD5
38df8a5c21f7df368490f8a0a0e276f9

SHA1
564641f0da5a9365a748a9589535f3b9439e5cc9

SHA256
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

SHA512
2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ashpkCg.exe
MD5
38df8a5c21f7df368490f8a0a0e276f9

SHA1
564641f0da5a9365a748a9589535f3b9439e5cc9

SHA256
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

SHA512
2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads