ryuk | 7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20

Analysis

max time kernel
155s
max time network
142s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
Size

126KB
MD5

fca20e17ce8c0c3f3c78d82c953472ed
SHA1

c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6
SHA256

7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20
SHA512

5a38ab6f0401c57e0ab1a0f889fe4db8b3fbeda0abbbb87d21da870de604615446a83f6b156ecb36d9101072d429ce7589439916404bc2e76b751847b8947152

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini	taskhost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1624	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
Token: SeBackupPrivilege	1172	taskhost.exe
Token: SeBackupPrivilege	1624	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1172	1624	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe	9
PID 1624 wrote to memory of 1308	1624	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe	15
PID 1624 wrote to memory of 1404	1624	7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe	14

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404
- C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe
  "C:\Users\Admin\AppData\Local\Temp\7c1e0597dd5a1e2d48c9cede54843aa7c299f7404630b5a2aafac2eec7358b20.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-55-0x000000013FFC0000-0x0000000140342000-memory.dmp

Filesize
3.5MB

Download
memory/1172-57-0x000000013FFC0000-0x0000000140342000-memory.dmp

Filesize
3.5MB

Download
memory/1308-58-0x000000013FFC0000-0x0000000140342000-memory.dmp

Filesize
3.5MB

Download