ryuk | e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a

Analysis

max time kernel
168s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20/02/2022, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
Size

190KB
MD5

fb0cc68e9679d61aa39779cabc5e6196
SHA1

fe91a5a32aa26e92925426b88f810b215610d8b4
SHA256

e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a
SHA512

12ae1da23953ba65108aa2358942a77c442e57580fde053b435569d7ac15af6b077a8febf4d2d36489ca4aae130e6a737d4ff2e60f0aebecc9fe491f4614b54e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 10592 created 4244	10592	WerFault.exe	85

Executes dropped EXE 1 IoCs

pid	Process
4244	hFWNqPV.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	hFWNqPV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
4244	hFWNqPV.exe
4244	hFWNqPV.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
4244	hFWNqPV.exe
4244	hFWNqPV.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
Token: SeBackupPrivilege	4244	hFWNqPV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4244	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	85
PID 1088 wrote to memory of 4244	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	85
PID 1088 wrote to memory of 4244	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	85
PID 1088 wrote to memory of 3676	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	86
PID 1088 wrote to memory of 3676	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	86
PID 1088 wrote to memory of 3676	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	86
PID 1088 wrote to memory of 1780	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	88
PID 1088 wrote to memory of 1780	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	88
PID 1088 wrote to memory of 1780	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	88
PID 3676 wrote to memory of 1360	3676	net.exe	90
PID 3676 wrote to memory of 1360	3676	net.exe	90
PID 3676 wrote to memory of 1360	3676	net.exe	90
PID 1780 wrote to memory of 1496	1780	net.exe	91
PID 1780 wrote to memory of 1496	1780	net.exe	91
PID 1780 wrote to memory of 1496	1780	net.exe	91
PID 1088 wrote to memory of 1048	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	92
PID 1088 wrote to memory of 1048	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	92
PID 1088 wrote to memory of 1048	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	92
PID 1088 wrote to memory of 1180	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	94
PID 1088 wrote to memory of 1180	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	94
PID 1088 wrote to memory of 1180	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	94
PID 1048 wrote to memory of 4900	1048	net.exe	96
PID 1048 wrote to memory of 4900	1048	net.exe	96
PID 1048 wrote to memory of 4900	1048	net.exe	96
PID 1180 wrote to memory of 1112	1180	net.exe	97
PID 1180 wrote to memory of 1112	1180	net.exe	97
PID 1180 wrote to memory of 1112	1180	net.exe	97
PID 4244 wrote to memory of 2856	4244	hFWNqPV.exe	98
PID 4244 wrote to memory of 2856	4244	hFWNqPV.exe	98
PID 4244 wrote to memory of 2856	4244	hFWNqPV.exe	98
PID 2856 wrote to memory of 4564	2856	net.exe	100
PID 2856 wrote to memory of 4564	2856	net.exe	100
PID 2856 wrote to memory of 4564	2856	net.exe	100
PID 4244 wrote to memory of 4996	4244	hFWNqPV.exe	101
PID 4244 wrote to memory of 4996	4244	hFWNqPV.exe	101
PID 4244 wrote to memory of 4996	4244	hFWNqPV.exe	101
PID 4996 wrote to memory of 4848	4996	net.exe	103
PID 4996 wrote to memory of 4848	4996	net.exe	103
PID 4996 wrote to memory of 4848	4996	net.exe	103
PID 1088 wrote to memory of 1432	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	107
PID 1088 wrote to memory of 1432	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	107
PID 1088 wrote to memory of 1432	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	107
PID 1088 wrote to memory of 1336	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	104
PID 1088 wrote to memory of 1336	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	104
PID 1088 wrote to memory of 1336	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	104
PID 1336 wrote to memory of 4992	1336	net.exe	108
PID 1336 wrote to memory of 4992	1336	net.exe	108
PID 1336 wrote to memory of 4992	1336	net.exe	108
PID 1432 wrote to memory of 2772	1432	net.exe	109
PID 1432 wrote to memory of 2772	1432	net.exe	109
PID 1432 wrote to memory of 2772	1432	net.exe	109
PID 4244 wrote to memory of 4504	4244	hFWNqPV.exe	110
PID 4244 wrote to memory of 4504	4244	hFWNqPV.exe	110
PID 4244 wrote to memory of 4504	4244	hFWNqPV.exe	110
PID 4504 wrote to memory of 4972	4504	net.exe	112
PID 4504 wrote to memory of 4972	4504	net.exe	112
PID 4504 wrote to memory of 4972	4504	net.exe	112
PID 1088 wrote to memory of 11188	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	115
PID 1088 wrote to memory of 11188	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	115
PID 1088 wrote to memory of 11188	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	115
PID 1088 wrote to memory of 11196	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	114
PID 1088 wrote to memory of 11196	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	114
PID 1088 wrote to memory of 11196	1088	e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe	114
PID 11188 wrote to memory of 10480	11188	net.exe	118

C:\Users\Admin\AppData\Local\Temp\e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe
"C:\Users\Admin\AppData\Local\Temp\e63a0fdaaaf0aa3363522e1db78c9f06babb6cfb452aa8cd139aee77e8cbc15a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\hFWNqPV.exe
  "C:\Users\Admin\AppData\Local\Temp\hFWNqPV.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:4564
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4972
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1360
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4900
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4992
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2772
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:11196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10492
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:11188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4244 -ip 4244
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads