ryuk | 3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8

Analysis

max time kernel
196s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
Size

193KB
MD5

cb5e16ee3c210f4112a244b577c749ba
SHA1

5f8b636dcc5ad2a77fe96923cdce67277b584317
SHA256

3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8
SHA512

5ca67a4df63a73fa1062c89b9f114fc4e828597ff67d1679c0bb7bbcddb66d04d8ed02b91b5e1ec210196b2e4a8331d3564e65fd6149dfb3af0144cc12131bf3

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 10900 created 2956	10900	WerFault.exe	84

Executes dropped EXE 1 IoCs

pid	Process
2956	kWzGKpv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	kWzGKpv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kWzGKpv.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
2956	kWzGKpv.exe
2956	kWzGKpv.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
2956	kWzGKpv.exe
2956	kWzGKpv.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
Token: SeBackupPrivilege	2956	kWzGKpv.exe
Token: SeBackupPrivilege	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 2956	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	84
PID 4940 wrote to memory of 2956	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	84
PID 4940 wrote to memory of 2956	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	84
PID 4940 wrote to memory of 2284	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	26
PID 4940 wrote to memory of 3156	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	85
PID 4940 wrote to memory of 3156	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	85
PID 4940 wrote to memory of 3156	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	85
PID 3156 wrote to memory of 4344	3156	net.exe	88
PID 3156 wrote to memory of 4344	3156	net.exe	88
PID 3156 wrote to memory of 4344	3156	net.exe	88
PID 4940 wrote to memory of 4256	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	89
PID 4940 wrote to memory of 4256	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	89
PID 4940 wrote to memory of 4256	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	89
PID 4940 wrote to memory of 2304	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	24
PID 4256 wrote to memory of 4232	4256	net.exe	91
PID 4256 wrote to memory of 4232	4256	net.exe	91
PID 4256 wrote to memory of 4232	4256	net.exe	91
PID 4940 wrote to memory of 2404	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	25
PID 4940 wrote to memory of 3132	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	68
PID 4940 wrote to memory of 3332	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	67
PID 4940 wrote to memory of 3436	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	45
PID 4940 wrote to memory of 3500	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	44
PID 4940 wrote to memory of 3584	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	48
PID 4940 wrote to memory of 3780	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	46
PID 4940 wrote to memory of 3268	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	65
PID 4940 wrote to memory of 1580	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	57
PID 4940 wrote to memory of 3340	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	56
PID 4940 wrote to memory of 1876	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	92
PID 4940 wrote to memory of 1876	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	92
PID 4940 wrote to memory of 1876	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	92
PID 1876 wrote to memory of 4980	1876	net.exe	94
PID 1876 wrote to memory of 4980	1876	net.exe	94
PID 1876 wrote to memory of 4980	1876	net.exe	94
PID 2956 wrote to memory of 3292	2956	kWzGKpv.exe	95
PID 2956 wrote to memory of 3292	2956	kWzGKpv.exe	95
PID 2956 wrote to memory of 3292	2956	kWzGKpv.exe	95
PID 3292 wrote to memory of 1308	3292	net.exe	97
PID 3292 wrote to memory of 1308	3292	net.exe	97
PID 3292 wrote to memory of 1308	3292	net.exe	97
PID 4940 wrote to memory of 824	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	99
PID 4940 wrote to memory of 824	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	99
PID 4940 wrote to memory of 824	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	99
PID 2956 wrote to memory of 4388	2956	kWzGKpv.exe	101
PID 2956 wrote to memory of 4388	2956	kWzGKpv.exe	101
PID 2956 wrote to memory of 4388	2956	kWzGKpv.exe	101
PID 824 wrote to memory of 1088	824	cmd.exe	102
PID 824 wrote to memory of 1088	824	cmd.exe	102
PID 824 wrote to memory of 1088	824	cmd.exe	102
PID 4940 wrote to memory of 1444	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	104
PID 4940 wrote to memory of 1444	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	104
PID 4940 wrote to memory of 1444	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	104
PID 1444 wrote to memory of 4632	1444	net.exe	106
PID 1444 wrote to memory of 4632	1444	net.exe	106
PID 1444 wrote to memory of 4632	1444	net.exe	106
PID 4388 wrote to memory of 4884	4388	cmd.exe	107
PID 4388 wrote to memory of 4884	4388	cmd.exe	107
PID 4388 wrote to memory of 4884	4388	cmd.exe	107
PID 4940 wrote to memory of 10688	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	108
PID 4940 wrote to memory of 10688	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	108
PID 4940 wrote to memory of 10688	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	108
PID 10688 wrote to memory of 10764	10688	net.exe	110
PID 10688 wrote to memory of 10764	10688	net.exe	110
PID 10688 wrote to memory of 10764	10688	net.exe	110
PID 4940 wrote to memory of 11780	4940	3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe	113

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2304

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2404

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2284

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3340

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1580

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe
"C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\kWzGKpv.exe
  "C:\Users\Admin\AppData\Local\Temp\kWzGKpv.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kWzGKpv.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\kWzGKpv.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:4884
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4632
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10764
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:11780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:11840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2956 -ip 2956
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads