ryuk | 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2

Analysis

max time kernel
177s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
Size

187KB
MD5

2ee9a7ce3356c032d49c1947761c63b2
SHA1

30181311c46b89cc3e01d3d8207c4c533199fa88
SHA256

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2
SHA512

d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 10412 created 1300 10412 WerFault.exe LIwIAuS.exe
PID 10420 created 1300 10420 WerFault.exe LIwIAuS.exe
Executes dropped EXE 1 IoCs

Processes:

LIwIAuS.exe

pid process

1300 LIwIAuS.exe

description	pid	process	target process
PID 10412 created 1300	10412	WerFault.exe	LIwIAuS.exe
PID 10420 created 1300	10420	WerFault.exe	LIwIAuS.exe

pid	process
1300	LIwIAuS.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LIwIAuS.exe8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LIwIAuS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exeLIwIAuS.exe

pid	process
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
1300	LIwIAuS.exe
1300	LIwIAuS.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exeLIwIAuS.exe

description	pid	process
Token: SeBackupPrivilege	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
Token: SeBackupPrivilege	1300	LIwIAuS.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exenet.exenet.exenet.exenet.exeLIwIAuS.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4692 wrote to memory of 1300	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	LIwIAuS.exe
PID 4692 wrote to memory of 1300	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	LIwIAuS.exe
PID 4692 wrote to memory of 1300	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	LIwIAuS.exe
PID 4692 wrote to memory of 1244	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 1244	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 1244	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 1244 wrote to memory of 4416	1244	net.exe	net1.exe
PID 1244 wrote to memory of 4416	1244	net.exe	net1.exe
PID 1244 wrote to memory of 4416	1244	net.exe	net1.exe
PID 4692 wrote to memory of 3528	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 3528	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 3528	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 3528 wrote to memory of 632	3528	net.exe	net1.exe
PID 3528 wrote to memory of 632	3528	net.exe	net1.exe
PID 3528 wrote to memory of 632	3528	net.exe	net1.exe
PID 4692 wrote to memory of 2664	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 2664	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 2664	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 2664 wrote to memory of 4644	2664	net.exe	net1.exe
PID 2664 wrote to memory of 4644	2664	net.exe	net1.exe
PID 2664 wrote to memory of 4644	2664	net.exe	net1.exe
PID 4692 wrote to memory of 1932	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 1932	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 1932	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 1932 wrote to memory of 3596	1932	net.exe	net1.exe
PID 1932 wrote to memory of 3596	1932	net.exe	net1.exe
PID 1932 wrote to memory of 3596	1932	net.exe	net1.exe
PID 1300 wrote to memory of 1168	1300	LIwIAuS.exe	net.exe
PID 1300 wrote to memory of 1168	1300	LIwIAuS.exe	net.exe
PID 1300 wrote to memory of 1168	1300	LIwIAuS.exe	net.exe
PID 1168 wrote to memory of 4756	1168	net.exe	net1.exe
PID 1168 wrote to memory of 4756	1168	net.exe	net1.exe
PID 1168 wrote to memory of 4756	1168	net.exe	net1.exe
PID 1300 wrote to memory of 5036	1300	LIwIAuS.exe	net.exe
PID 1300 wrote to memory of 5036	1300	LIwIAuS.exe	net.exe
PID 1300 wrote to memory of 5036	1300	LIwIAuS.exe	net.exe
PID 4692 wrote to memory of 3312	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 3312	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 3312	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 504	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 504	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 504	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 10152	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 10152	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 10152	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 9792	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 9792	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 4692 wrote to memory of 9792	4692	8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe	net.exe
PID 5036 wrote to memory of 9988	5036	net.exe	net1.exe
PID 5036 wrote to memory of 9988	5036	net.exe	net1.exe
PID 5036 wrote to memory of 9988	5036	net.exe	net1.exe
PID 504 wrote to memory of 10020	504	net.exe	net1.exe
PID 504 wrote to memory of 10020	504	net.exe	net1.exe
PID 504 wrote to memory of 10020	504	net.exe	net1.exe
PID 10152 wrote to memory of 10024	10152	net.exe	net1.exe
PID 10152 wrote to memory of 10024	10152	net.exe	net1.exe
PID 10152 wrote to memory of 10024	10152	net.exe	net1.exe
PID 9792 wrote to memory of 3120	9792	net.exe	net1.exe
PID 9792 wrote to memory of 3120	9792	net.exe	net1.exe
PID 9792 wrote to memory of 3120	9792	net.exe	net1.exe
PID 3312 wrote to memory of 10036	3312	net.exe	net1.exe
PID 3312 wrote to memory of 10036	3312	net.exe	net1.exe
PID 3312 wrote to memory of 10036	3312	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
"C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe
  "C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:4756
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:9988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4416
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:632
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:10036
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10020
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:10024
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1300 -ip 1300
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1300 -ip 1300
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe

MD5
2ee9a7ce3356c032d49c1947761c63b2

SHA1
30181311c46b89cc3e01d3d8207c4c533199fa88

SHA256
8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2

SHA512
d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe

MD5
2ee9a7ce3356c032d49c1947761c63b2

SHA1
30181311c46b89cc3e01d3d8207c4c533199fa88

SHA256
8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2

SHA512
d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
cc9731a1394a7195d52b9770a4b1f71e

SHA1
b39a6e2e5b63caf53add9b3596dd7426f02f1969

SHA256
545183ba23f32b6ad8a4ee26e0101171eb398ad4f528506a99e2720ab30a5476

SHA512
fa29e221fe23962d550490e61e32a8193fb23d20894b1e10a2b97c9133e1c4bec3c02d42fc0046a3cc16918e981337301e4863817d25ca3f13422b9babd5e273

Download Submit