ryuk | d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f

Analysis

max time kernel
244s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
Size

192KB
MD5

9c2f2398a853063303817e181b7cd140
SHA1

f0c032844d33537e7f270374f1f1c28ef7670683
SHA256

d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f
SHA512

4ad5d989e5e50c7cd9a5f65de4312fe63e53c97ceddd9b33a4a026c1b2fccdc27ac7406f3ec38132fb6da6c5439396bed2fee482775f55e265934fdc80425319

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
2260	SwSTcwJ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	SwSTcwJ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SwSTcwJ.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
2260	SwSTcwJ.exe
2260	SwSTcwJ.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
Token: SeBackupPrivilege	2260	SwSTcwJ.exe
Token: SeBackupPrivilege	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2260	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	85
PID 1712 wrote to memory of 2260	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	85
PID 1712 wrote to memory of 2260	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	85
PID 1712 wrote to memory of 2304	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	25
PID 1712 wrote to memory of 600	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	86
PID 1712 wrote to memory of 600	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	86
PID 1712 wrote to memory of 600	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	86
PID 1712 wrote to memory of 2340	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	26
PID 1712 wrote to memory of 2420	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	63
PID 1712 wrote to memory of 1304	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	36
PID 1712 wrote to memory of 3252	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	33
PID 1712 wrote to memory of 3344	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	34
PID 1712 wrote to memory of 3424	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	35
PID 1712 wrote to memory of 3504	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	39
PID 1712 wrote to memory of 3760	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	37
PID 1712 wrote to memory of 4848	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	88
PID 1712 wrote to memory of 4848	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	88
PID 1712 wrote to memory of 4848	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	88
PID 1712 wrote to memory of 3180	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	40
PID 1712 wrote to memory of 2752	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	62
PID 1712 wrote to memory of 4180	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	57
PID 1712 wrote to memory of 3584	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	84
PID 4848 wrote to memory of 3108	4848	net.exe	91
PID 4848 wrote to memory of 3108	4848	net.exe	91
PID 4848 wrote to memory of 3108	4848	net.exe	91
PID 600 wrote to memory of 2868	600	net.exe	90
PID 600 wrote to memory of 2868	600	net.exe	90
PID 600 wrote to memory of 2868	600	net.exe	90
PID 1712 wrote to memory of 1448	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	92
PID 1712 wrote to memory of 1448	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	92
PID 1712 wrote to memory of 1448	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	92
PID 1448 wrote to memory of 2448	1448	net.exe	94
PID 1448 wrote to memory of 2448	1448	net.exe	94
PID 1448 wrote to memory of 2448	1448	net.exe	94
PID 2260 wrote to memory of 3528	2260	SwSTcwJ.exe	95
PID 2260 wrote to memory of 3528	2260	SwSTcwJ.exe	95
PID 2260 wrote to memory of 3528	2260	SwSTcwJ.exe	95
PID 1712 wrote to memory of 4164	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	97
PID 1712 wrote to memory of 4164	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	97
PID 1712 wrote to memory of 4164	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	97
PID 3528 wrote to memory of 2824	3528	net.exe	99
PID 3528 wrote to memory of 2824	3528	net.exe	99
PID 3528 wrote to memory of 2824	3528	net.exe	99
PID 4164 wrote to memory of 908	4164	net.exe	100
PID 4164 wrote to memory of 908	4164	net.exe	100
PID 4164 wrote to memory of 908	4164	net.exe	100
PID 2260 wrote to memory of 392	2260	SwSTcwJ.exe	101
PID 2260 wrote to memory of 392	2260	SwSTcwJ.exe	101
PID 2260 wrote to memory of 392	2260	SwSTcwJ.exe	101
PID 392 wrote to memory of 4656	392	net.exe	103
PID 392 wrote to memory of 4656	392	net.exe	103
PID 392 wrote to memory of 4656	392	net.exe	103
PID 1712 wrote to memory of 3368	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	105
PID 1712 wrote to memory of 3368	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	105
PID 1712 wrote to memory of 3368	1712	d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe	105
PID 3368 wrote to memory of 4328	3368	cmd.exe	107
PID 3368 wrote to memory of 4328	3368	cmd.exe	107
PID 3368 wrote to memory of 4328	3368	cmd.exe	107
PID 2260 wrote to memory of 5072	2260	SwSTcwJ.exe	108
PID 2260 wrote to memory of 5072	2260	SwSTcwJ.exe	108
PID 2260 wrote to memory of 5072	2260	SwSTcwJ.exe	108
PID 5072 wrote to memory of 1300	5072	cmd.exe	110
PID 5072 wrote to memory of 1300	5072	cmd.exe	110
PID 5072 wrote to memory of 1300	5072	cmd.exe	110

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1304

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4180

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2752

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe
"C:\Users\Admin\AppData\Local\Temp\d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\SwSTcwJ.exe
  "C:\Users\Admin\AppData\Local\Temp\SwSTcwJ.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SwSTcwJ.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SwSTcwJ.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:1300
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2868
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3108
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2448
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4328
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:5776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:12192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:11616

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads