ryuk | d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b

Analysis

max time kernel
107s
max time network
53s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
Size

203KB
MD5

1204f4881b1b67007e74e3129ae74992
SHA1

1a184b8e44c447140300946287300b8f382654ac
SHA256

d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b
SHA512

c87ef11347596e0969309568a92f138810eb13b46378ce5c2321597d2b006d65165d711ebb9a3372d3396c730ce7c552a0b54562e873ddba8513590316458e47

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
520	QVQFdBP.exe

Loads dropped DLL 2 IoCs

pid	Process
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QVQFdBP.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
520	QVQFdBP.exe
1216	taskhost.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
Token: SeBackupPrivilege	520	QVQFdBP.exe
Token: SeBackupPrivilege	1216	taskhost.exe
Token: SeBackupPrivilege	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
Token: SeBackupPrivilege	1316	Dwm.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 520	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	27
PID 1548 wrote to memory of 520	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	27
PID 1548 wrote to memory of 520	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	27
PID 1548 wrote to memory of 1216	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	11
PID 1548 wrote to memory of 688	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	28
PID 1548 wrote to memory of 688	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	28
PID 1548 wrote to memory of 688	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	28
PID 1548 wrote to memory of 1456	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	30
PID 1548 wrote to memory of 1456	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	30
PID 1548 wrote to memory of 1456	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	30
PID 1548 wrote to memory of 1316	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	10
PID 1456 wrote to memory of 836	1456	net.exe	33
PID 1456 wrote to memory of 836	1456	net.exe	33
PID 1456 wrote to memory of 836	1456	net.exe	33
PID 688 wrote to memory of 1568	688	net.exe	32
PID 688 wrote to memory of 1568	688	net.exe	32
PID 688 wrote to memory of 1568	688	net.exe	32
PID 520 wrote to memory of 1264	520	QVQFdBP.exe	34
PID 520 wrote to memory of 1264	520	QVQFdBP.exe	34
PID 520 wrote to memory of 1264	520	QVQFdBP.exe	34
PID 1264 wrote to memory of 1460	1264	net.exe	36
PID 1264 wrote to memory of 1460	1264	net.exe	36
PID 1264 wrote to memory of 1460	1264	net.exe	36
PID 1216 wrote to memory of 1828	1216	taskhost.exe	37
PID 1216 wrote to memory of 1828	1216	taskhost.exe	37
PID 1216 wrote to memory of 1828	1216	taskhost.exe	37
PID 1216 wrote to memory of 1172	1216	taskhost.exe	38
PID 1216 wrote to memory of 1172	1216	taskhost.exe	38
PID 1216 wrote to memory of 1172	1216	taskhost.exe	38
PID 1172 wrote to memory of 1028	1172	net.exe	40
PID 1172 wrote to memory of 1028	1172	net.exe	40
PID 1172 wrote to memory of 1028	1172	net.exe	40
PID 1548 wrote to memory of 888	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	41
PID 1548 wrote to memory of 888	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	41
PID 1548 wrote to memory of 888	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	41
PID 1548 wrote to memory of 1504	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	42
PID 1548 wrote to memory of 1504	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	42
PID 1548 wrote to memory of 1504	1548	d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe	42
PID 1504 wrote to memory of 1748	1504	net.exe	44
PID 1504 wrote to memory of 1748	1504	net.exe	44
PID 1504 wrote to memory of 1748	1504	net.exe	44
PID 1828 wrote to memory of 604	1828	cmd.exe	47
PID 1828 wrote to memory of 604	1828	cmd.exe	47
PID 1828 wrote to memory of 604	1828	cmd.exe	47
PID 888 wrote to memory of 1628	888	cmd.exe	48
PID 888 wrote to memory of 1628	888	cmd.exe	48
PID 888 wrote to memory of 1628	888	cmd.exe	48
PID 520 wrote to memory of 4392	520	QVQFdBP.exe	49
PID 520 wrote to memory of 4392	520	QVQFdBP.exe	49
PID 520 wrote to memory of 4392	520	QVQFdBP.exe	49
PID 4392 wrote to memory of 4416	4392	cmd.exe	51
PID 4392 wrote to memory of 4416	4392	cmd.exe	51
PID 4392 wrote to memory of 4416	4392	cmd.exe	51

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
    3⤵
    - Adds Run key to start application
    PID:604
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1028

C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe
"C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\QVQFdBP.exe
  "C:\Users\Admin\AppData\Local\Temp\QVQFdBP.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1460
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QVQFdBP.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QVQFdBP.exe" /f
      4⤵
      Adds Run key to start application
      PID:4416
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1568
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d27d318e35c5a625f2f29128dea3982dede23c96292056c6c2d18a73b82f946b.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1628
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-61-0x000000013F170000-0x000000013F2E5000-memory.dmp

Filesize
1.5MB

Download
memory/1216-59-0x000000013F170000-0x000000013F2E5000-memory.dmp

Filesize
1.5MB

Download
memory/1548-55-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download