ryuk | 3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8

Analysis

max time kernel
167s
max time network
158s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
Size

193KB
MD5

cb5e16ee3c210f4112a244b577c749ba
SHA1

5f8b636dcc5ad2a77fe96923cdce67277b584317
SHA256

3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8
SHA512

5ca67a4df63a73fa1062c89b9f114fc4e828597ff67d1679c0bb7bbcddb66d04d8ed02b91b5e1ec210196b2e4a8331d3564e65fd6149dfb3af0144cc12131bf3

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
952	SYBRSoS.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SYBRSoS.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
952	SYBRSoS.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
952	SYBRSoS.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
952	SYBRSoS.exe
952	SYBRSoS.exe
952	SYBRSoS.exe
952	SYBRSoS.exe
952	SYBRSoS.exe
952	SYBRSoS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
Token: SeBackupPrivilege	952	SYBRSoS.exe
Token: SeBackupPrivilege	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 952	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	27
PID 1448 wrote to memory of 952	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	27
PID 1448 wrote to memory of 952	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	27
PID 1448 wrote to memory of 952	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	27
PID 1448 wrote to memory of 1256	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	12
PID 1448 wrote to memory of 780	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	28
PID 1448 wrote to memory of 780	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	28
PID 1448 wrote to memory of 780	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	28
PID 1448 wrote to memory of 780	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	28
PID 780 wrote to memory of 1216	780	net.exe	30
PID 780 wrote to memory of 1216	780	net.exe	30
PID 780 wrote to memory of 1216	780	net.exe	30
PID 780 wrote to memory of 1216	780	net.exe	30
PID 1448 wrote to memory of 1556	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	31
PID 1448 wrote to memory of 1556	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	31
PID 1448 wrote to memory of 1556	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	31
PID 1448 wrote to memory of 1556	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	31
PID 1556 wrote to memory of 852	1556	net.exe	33
PID 1556 wrote to memory of 852	1556	net.exe	33
PID 1556 wrote to memory of 852	1556	net.exe	33
PID 1556 wrote to memory of 852	1556	net.exe	33
PID 1448 wrote to memory of 1360	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	11
PID 1448 wrote to memory of 1468	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	35
PID 1448 wrote to memory of 1468	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	35
PID 1448 wrote to memory of 1468	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	35
PID 1448 wrote to memory of 1468	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	35
PID 1468 wrote to memory of 1124	1468	net.exe	37
PID 1468 wrote to memory of 1124	1468	net.exe	37
PID 1468 wrote to memory of 1124	1468	net.exe	37
PID 1468 wrote to memory of 1124	1468	net.exe	37
PID 1448 wrote to memory of 888	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	38
PID 1448 wrote to memory of 888	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	38
PID 1448 wrote to memory of 888	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	38
PID 1448 wrote to memory of 888	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	38
PID 888 wrote to memory of 1736	888	cmd.exe	41
PID 888 wrote to memory of 1736	888	cmd.exe	41
PID 888 wrote to memory of 1736	888	cmd.exe	41
PID 888 wrote to memory of 1736	888	cmd.exe	41
PID 952 wrote to memory of 2200	952	SYBRSoS.exe	42
PID 952 wrote to memory of 2200	952	SYBRSoS.exe	42
PID 952 wrote to memory of 2200	952	SYBRSoS.exe	42
PID 952 wrote to memory of 2200	952	SYBRSoS.exe	42
PID 2200 wrote to memory of 2224	2200	net.exe	44
PID 2200 wrote to memory of 2224	2200	net.exe	44
PID 2200 wrote to memory of 2224	2200	net.exe	44
PID 2200 wrote to memory of 2224	2200	net.exe	44
PID 952 wrote to memory of 3616	952	SYBRSoS.exe	45
PID 952 wrote to memory of 3616	952	SYBRSoS.exe	45
PID 952 wrote to memory of 3616	952	SYBRSoS.exe	45
PID 952 wrote to memory of 3616	952	SYBRSoS.exe	45
PID 3616 wrote to memory of 3808	3616	cmd.exe	47
PID 3616 wrote to memory of 3808	3616	cmd.exe	47
PID 3616 wrote to memory of 3808	3616	cmd.exe	47
PID 3616 wrote to memory of 3808	3616	cmd.exe	47
PID 1448 wrote to memory of 15184	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	49
PID 1448 wrote to memory of 15184	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	49
PID 1448 wrote to memory of 15184	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	49
PID 1448 wrote to memory of 15184	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	49
PID 15184 wrote to memory of 15300	15184	net.exe	50
PID 15184 wrote to memory of 15300	15184	net.exe	50
PID 15184 wrote to memory of 15300	15184	net.exe	50
PID 15184 wrote to memory of 15300	15184	net.exe	50
PID 1448 wrote to memory of 28116	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	51
PID 1448 wrote to memory of 28116	1448	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	51

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1360

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
"C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\SYBRSoS.exe
  "C:\Users\Admin\AppData\Local\Temp\SYBRSoS.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SYBRSoS.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SYBRSoS.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:3808
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:28156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:28224
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:46228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:46252
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15300
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:28116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:28140
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:35684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:35708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:45124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:45180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-58-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1448-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download