ryuk | e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf

Analysis

max time kernel
176s
max time network
90s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
Size

192KB
MD5

ce36b667dc2411b83ab678a66c42065a
SHA1

40a41587d785406e2d5c8b782492f18b8c034305
SHA256

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf
SHA512

503f0fc072271880a13bb412eee27191e8d2f1d0af51daf5d4d55be6f33843f6427a0155e1600d447526147a7647e1c883853e30fe72a57904bd613af16104ff

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1764	hhgsEmD.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhgsEmD.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1764	hhgsEmD.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1764	hhgsEmD.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1764	hhgsEmD.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
Token: SeBackupPrivilege	1764	hhgsEmD.exe
Token: SeBackupPrivilege	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	27
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	27
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	27
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	27
PID 1480 wrote to memory of 1244	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	16
PID 1480 wrote to memory of 1348	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	15
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	28
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	28
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	28
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	28
PID 860 wrote to memory of 1412	860	net.exe	30
PID 860 wrote to memory of 1412	860	net.exe	30
PID 860 wrote to memory of 1412	860	net.exe	30
PID 860 wrote to memory of 1412	860	net.exe	30
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	31
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	31
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	31
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	31
PID 1128 wrote to memory of 1780	1128	net.exe	33
PID 1128 wrote to memory of 1780	1128	net.exe	33
PID 1128 wrote to memory of 1780	1128	net.exe	33
PID 1128 wrote to memory of 1780	1128	net.exe	33
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	34
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	34
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	34
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	34
PID 1928 wrote to memory of 1756	1928	net.exe	36
PID 1928 wrote to memory of 1756	1928	net.exe	36
PID 1928 wrote to memory of 1756	1928	net.exe	36
PID 1928 wrote to memory of 1756	1928	net.exe	36
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	38
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	38
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	38
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	38
PID 1560 wrote to memory of 1924	1560	net.exe	41
PID 1560 wrote to memory of 1924	1560	net.exe	41
PID 1560 wrote to memory of 1924	1560	net.exe	41
PID 1560 wrote to memory of 1924	1560	net.exe	41
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	42
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	42
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	42
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	42
PID 1068 wrote to memory of 748	1068	cmd.exe	44
PID 1068 wrote to memory of 748	1068	cmd.exe	44
PID 1068 wrote to memory of 748	1068	cmd.exe	44
PID 1068 wrote to memory of 748	1068	cmd.exe	44
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	45
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	45
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	45
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	45
PID 8612 wrote to memory of 8640	8612	cmd.exe	47
PID 8612 wrote to memory of 8640	8612	cmd.exe	47
PID 8612 wrote to memory of 8640	8612	cmd.exe	47
PID 8612 wrote to memory of 8640	8612	cmd.exe	47
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	48
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	48
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	48
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	48
PID 8904 wrote to memory of 8968	8904	net.exe	50
PID 8904 wrote to memory of 8968	8904	net.exe	50
PID 8904 wrote to memory of 8968	8904	net.exe	50
PID 8904 wrote to memory of 8968	8904	net.exe	50
PID 1764 wrote to memory of 9056	1764	hhgsEmD.exe	51
PID 1764 wrote to memory of 9056	1764	hhgsEmD.exe	51

C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
"C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe
  "C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:8640
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:9056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:9080
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:36588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:36792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1412
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8968
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:9144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9168
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:30208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:30232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:46428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:46452

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-59-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download