ryuk | 4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1

Analysis

max time kernel
168s
max time network
141s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
Size

112KB
MD5

253ca028e0e6c66a5933af768ff0516a
SHA1

c8122f753fdaee7139f3fad1ed3c564fb52fd210
SHA256

4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1
SHA512

0b92be9dd25d83c1a324b0cc0e54800333c7f71635be15ba777985c40a17fadace1fdeb1c49eec457c946c46753a87a27f6a8a1ae4113bee644a3e7b9d0908e0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
288	eMbWfvbujlan.exe
1176	rcjuvQrFWlan.exe

Loads dropped DLL 4 IoCs

pid	Process
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
592	icacls.exe
1648	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1308	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
Token: SeBackupPrivilege	288	eMbWfvbujlan.exe
Token: SeBackupPrivilege	1176	rcjuvQrFWlan.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 288	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	27
PID 1752 wrote to memory of 288	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	27
PID 1752 wrote to memory of 288	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	27
PID 1752 wrote to memory of 288	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	27
PID 1752 wrote to memory of 1176	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	28
PID 1752 wrote to memory of 1176	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	28
PID 1752 wrote to memory of 1176	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	28
PID 1752 wrote to memory of 1176	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	28
PID 1752 wrote to memory of 384	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	32
PID 1752 wrote to memory of 384	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	32
PID 1752 wrote to memory of 384	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	32
PID 1752 wrote to memory of 384	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	32
PID 1752 wrote to memory of 1048	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	31
PID 1752 wrote to memory of 1048	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	31
PID 1752 wrote to memory of 1048	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	31
PID 1752 wrote to memory of 1048	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	31
PID 1752 wrote to memory of 1744	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	30
PID 1752 wrote to memory of 1744	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	30
PID 1752 wrote to memory of 1744	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	30
PID 1752 wrote to memory of 1744	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	30
PID 1752 wrote to memory of 1132	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	33
PID 1752 wrote to memory of 1132	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	33
PID 1752 wrote to memory of 1132	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	33
PID 1752 wrote to memory of 1132	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	33
PID 1752 wrote to memory of 592	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	36
PID 1752 wrote to memory of 592	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	36
PID 1752 wrote to memory of 592	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	36
PID 1752 wrote to memory of 592	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	36
PID 1752 wrote to memory of 1648	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	37
PID 1752 wrote to memory of 1648	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	37
PID 1752 wrote to memory of 1648	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	37
PID 1752 wrote to memory of 1648	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	37
PID 1048 wrote to memory of 1308	1048	cmd.exe	43
PID 1048 wrote to memory of 1308	1048	cmd.exe	43
PID 1048 wrote to memory of 1308	1048	cmd.exe	43
PID 1048 wrote to memory of 1308	1048	cmd.exe	43
PID 384 wrote to memory of 2272	384	cmd.exe	44
PID 384 wrote to memory of 2272	384	cmd.exe	44
PID 384 wrote to memory of 2272	384	cmd.exe	44
PID 384 wrote to memory of 2272	384	cmd.exe	44
PID 1752 wrote to memory of 2452	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	46
PID 1752 wrote to memory of 2452	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	46
PID 1752 wrote to memory of 2452	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	46
PID 1752 wrote to memory of 2452	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	46
PID 1752 wrote to memory of 2460	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	45
PID 1752 wrote to memory of 2460	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	45
PID 1752 wrote to memory of 2460	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	45
PID 1752 wrote to memory of 2460	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	45
PID 1752 wrote to memory of 2520	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	53
PID 1752 wrote to memory of 2520	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	53
PID 1752 wrote to memory of 2520	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	53
PID 1752 wrote to memory of 2520	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	53
PID 1752 wrote to memory of 2528	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	50
PID 1752 wrote to memory of 2528	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	50
PID 1752 wrote to memory of 2528	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	50
PID 1752 wrote to memory of 2528	1752	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	50
PID 2460 wrote to memory of 2944	2460	net.exe	57
PID 2460 wrote to memory of 2944	2460	net.exe	57
PID 2460 wrote to memory of 2944	2460	net.exe	57
PID 2460 wrote to memory of 2944	2460	net.exe	57
PID 2520 wrote to memory of 2960	2520	net.exe	55
PID 2520 wrote to memory of 2960	2520	net.exe	55
PID 2520 wrote to memory of 2960	2520	net.exe	55
PID 2520 wrote to memory of 2960	2520	net.exe	55

C:\Users\Admin\AppData\Local\Temp\4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
"C:\Users\Admin\AppData\Local\Temp\4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\eMbWfvbujlan.exe
  "C:\Users\Admin\AppData\Local\Temp\eMbWfvbujlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Users\Admin\AppData\Local\Temp\rcjuvQrFWlan.exe
  "C:\Users\Admin\AppData\Local\Temp\rcjuvQrFWlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1132
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:592
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1648
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2952
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2968
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2960
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:8588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:8580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1752-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download