ryuk | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4

Analysis

max time kernel
192s
max time network
227s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
Size

200KB
MD5

f137ba372038184053d680941a2da136
SHA1

0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256

7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512

9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
4256	lrZYmvq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	lrZYmvq.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4568	icacls.exe
4384	icacls.exe
4556	icacls.exe
2812	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
4256	lrZYmvq.exe
4256	lrZYmvq.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
4256	lrZYmvq.exe
4256	lrZYmvq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
Token: SeBackupPrivilege	4256	lrZYmvq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4256	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	84
PID 1340 wrote to memory of 4256	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	84
PID 1340 wrote to memory of 4256	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	84
PID 1340 wrote to memory of 4576	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	85
PID 1340 wrote to memory of 4576	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	85
PID 1340 wrote to memory of 4576	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	85
PID 4576 wrote to memory of 3344	4576	net.exe	87
PID 4576 wrote to memory of 3344	4576	net.exe	87
PID 4576 wrote to memory of 3344	4576	net.exe	87
PID 1340 wrote to memory of 1580	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	88
PID 1340 wrote to memory of 1580	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	88
PID 1340 wrote to memory of 1580	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	88
PID 1580 wrote to memory of 2044	1580	net.exe	90
PID 1580 wrote to memory of 2044	1580	net.exe	90
PID 1580 wrote to memory of 2044	1580	net.exe	90
PID 1340 wrote to memory of 4384	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	91
PID 1340 wrote to memory of 4384	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	91
PID 1340 wrote to memory of 4384	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	91
PID 4256 wrote to memory of 4556	4256	lrZYmvq.exe	92
PID 4256 wrote to memory of 4556	4256	lrZYmvq.exe	92
PID 4256 wrote to memory of 4556	4256	lrZYmvq.exe	92
PID 4256 wrote to memory of 4568	4256	lrZYmvq.exe	94
PID 4256 wrote to memory of 4568	4256	lrZYmvq.exe	94
PID 4256 wrote to memory of 4568	4256	lrZYmvq.exe	94
PID 1340 wrote to memory of 2812	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	93
PID 1340 wrote to memory of 2812	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	93
PID 1340 wrote to memory of 2812	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	93
PID 4256 wrote to memory of 2828	4256	lrZYmvq.exe	96
PID 4256 wrote to memory of 2828	4256	lrZYmvq.exe	96
PID 4256 wrote to memory of 2828	4256	lrZYmvq.exe	96
PID 1340 wrote to memory of 3116	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	95
PID 1340 wrote to memory of 3116	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	95
PID 1340 wrote to memory of 3116	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	95
PID 1340 wrote to memory of 2152	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	104
PID 1340 wrote to memory of 2152	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	104
PID 1340 wrote to memory of 2152	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	104
PID 2152 wrote to memory of 4452	2152	net.exe	106
PID 2152 wrote to memory of 4452	2152	net.exe	106
PID 2152 wrote to memory of 4452	2152	net.exe	106
PID 1340 wrote to memory of 4760	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	107
PID 1340 wrote to memory of 4760	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	107
PID 1340 wrote to memory of 4760	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	107
PID 1340 wrote to memory of 1532	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	109
PID 1340 wrote to memory of 1532	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	109
PID 1340 wrote to memory of 1532	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	109
PID 1340 wrote to memory of 4108	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	111
PID 1340 wrote to memory of 4108	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	111
PID 1340 wrote to memory of 4108	1340	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	111
PID 4256 wrote to memory of 3684	4256	lrZYmvq.exe	113
PID 4256 wrote to memory of 3684	4256	lrZYmvq.exe	113
PID 4256 wrote to memory of 3684	4256	lrZYmvq.exe	113
PID 4256 wrote to memory of 3188	4256	lrZYmvq.exe	115
PID 4256 wrote to memory of 3188	4256	lrZYmvq.exe	115
PID 4256 wrote to memory of 3188	4256	lrZYmvq.exe	115
PID 4108 wrote to memory of 1608	4108	net.exe	117
PID 4108 wrote to memory of 1608	4108	net.exe	117
PID 4108 wrote to memory of 1608	4108	net.exe	117
PID 1532 wrote to memory of 2004	1532	net.exe	119
PID 1532 wrote to memory of 2004	1532	net.exe	119
PID 1532 wrote to memory of 2004	1532	net.exe	119
PID 4760 wrote to memory of 1980	4760	net.exe	118
PID 4760 wrote to memory of 1980	4760	net.exe	118
PID 4760 wrote to memory of 1980	4760	net.exe	118
PID 3188 wrote to memory of 1048	3188	net.exe	121

C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe
  "C:\Users\Admin\AppData\Local\Temp\lrZYmvq.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1048
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2044
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4384
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:3116
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4452
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1980
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4436
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads