ryuk | 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71

General

Target

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
Size

150KB
MD5

f763a2291bcb03be0e64bb3cd34b8424
SHA1

ce182b871f86dd2a54143288c559e9baa3e16b5c
SHA256

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71
SHA512

77850884db6a62e04f7eb0857ce16eefbe94dddd1451a8ad53a9a4bd3333e29aa1cb65e61550ab5517038fde928803246b8185b853cf1f62c462c55eaf71f647

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau Ryuk No system is safe

Emails

[email protected]

Wallets

12N7W9ycLhuck9Q2wT8E6BaN6XzZ4DMLau

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\ImportBlock.vdx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas	taskhost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

pid process

1040 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

description pid process

Token: SeDebugPrivilege 1040 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

pid	process
1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

description	pid	process
Token: SeDebugPrivilege	1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 1920	1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	cmd.exe
PID 1040 wrote to memory of 1920	1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	cmd.exe
PID 1040 wrote to memory of 1920	1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	cmd.exe
PID 1040 wrote to memory of 1128	1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	taskhost.exe
PID 1920 wrote to memory of 544	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 544	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 544	1920	cmd.exe	reg.exe
PID 1040 wrote to memory of 1196	1040	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	Dwm.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
"C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe" /f
3⤵
- Adds Run key to start application
PID:544

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-54-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download
memory/1128-55-0x000000013F7B0000-0x000000013FB39000-memory.dmp

Filesize
3.5MB

Download
memory/1128-56-0x000000013F7B0000-0x000000013FB39000-memory.dmp

Filesize
3.5MB

Download
memory/1196-58-0x000000013F7B0000-0x000000013FB39000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads