ryuk | 529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967

General

Target

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
Size

171KB
MD5

bb0929ec43b8eea61ab777ecd9f44541
SHA1

f1fd81590a93b8895884f2bafcd8d48de1627fdb
SHA256

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967
SHA512

09dadd375f5faebeba2761dc7cfc6cc7cdb52ecce3798044a88c5bc165d2e6b3c3810a7ff62641363e613a5c9f512f0be5d0bbdac83f68838feaac26b78680a0

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 2 IoCs

Processes:

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.657461"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899941317718715"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4296"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.105804"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

pid	process
2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

description	pid	process
Token: SeDebugPrivilege	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
Token: SeBackupPrivilege	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe

description	pid	process	target process
PID 2120 wrote to memory of 2196	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	sihost.exe
PID 2120 wrote to memory of 2216	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	svchost.exe
PID 2120 wrote to memory of 2268	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	taskhostw.exe
PID 2120 wrote to memory of 2520	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	svchost.exe
PID 2120 wrote to memory of 2712	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	DllHost.exe
PID 2120 wrote to memory of 2888	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	StartMenuExperienceHost.exe
PID 2120 wrote to memory of 2952	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	RuntimeBroker.exe
PID 2120 wrote to memory of 3032	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	SearchApp.exe
PID 2120 wrote to memory of 2604	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	RuntimeBroker.exe
PID 2120 wrote to memory of 3324	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	RuntimeBroker.exe
PID 2120 wrote to memory of 4036	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	RuntimeBroker.exe
PID 2120 wrote to memory of 3304	2120	529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe	backgroundTaskHost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4036

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3304

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2520

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2216

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe
"C:\Users\Admin\AppData\Local\Temp\529cefc842349f283599931e53f5b97bd6083e986e8a8e16f8aca370d5390967.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads