ryuk | 4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1

Analysis

max time kernel
173s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
Size

112KB
MD5

253ca028e0e6c66a5933af768ff0516a
SHA1

c8122f753fdaee7139f3fad1ed3c564fb52fd210
SHA256

4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1
SHA512

0b92be9dd25d83c1a324b0cc0e54800333c7f71635be15ba777985c40a17fadace1fdeb1c49eec457c946c46753a87a27f6a8a1ae4113bee644a3e7b9d0908e0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
452	PTaGYlLwZlan.exe
560	NlVtzkEkNlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1868	icacls.exe
432	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
Token: SeBackupPrivilege	452	PTaGYlLwZlan.exe
Token: SeBackupPrivilege	560	NlVtzkEkNlan.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 452	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	67
PID 3588 wrote to memory of 452	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	67
PID 3588 wrote to memory of 452	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	67
PID 3588 wrote to memory of 560	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	69
PID 3588 wrote to memory of 560	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	69
PID 3588 wrote to memory of 560	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	69
PID 3588 wrote to memory of 2316	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	71
PID 3588 wrote to memory of 2316	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	71
PID 3588 wrote to memory of 2316	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	71
PID 3588 wrote to memory of 3716	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	74
PID 3588 wrote to memory of 3716	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	74
PID 3588 wrote to memory of 3716	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	74
PID 3588 wrote to memory of 2652	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	73
PID 3588 wrote to memory of 2652	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	73
PID 3588 wrote to memory of 2652	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	73
PID 3588 wrote to memory of 1036	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	72
PID 3588 wrote to memory of 1036	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	72
PID 3588 wrote to memory of 1036	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	72
PID 3588 wrote to memory of 432	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	76
PID 3588 wrote to memory of 432	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	76
PID 3588 wrote to memory of 432	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	76
PID 3588 wrote to memory of 1868	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	75
PID 3588 wrote to memory of 1868	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	75
PID 3588 wrote to memory of 1868	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	75
PID 3588 wrote to memory of 4224	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	84
PID 3588 wrote to memory of 4232	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	83
PID 3588 wrote to memory of 4232	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	83
PID 3588 wrote to memory of 4232	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	83
PID 3588 wrote to memory of 4224	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	84
PID 3588 wrote to memory of 4224	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	84
PID 3588 wrote to memory of 4276	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	87
PID 3588 wrote to memory of 4276	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	87
PID 3588 wrote to memory of 4276	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	87
PID 3588 wrote to memory of 4284	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	86
PID 3588 wrote to memory of 4284	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	86
PID 3588 wrote to memory of 4284	3588	4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe	86
PID 2316 wrote to memory of 4536	2316	cmd.exe	91
PID 2316 wrote to memory of 4536	2316	cmd.exe	91
PID 2316 wrote to memory of 4536	2316	cmd.exe	91
PID 4224 wrote to memory of 4556	4224	net.exe	94
PID 4284 wrote to memory of 4548	4284	net.exe	95
PID 4224 wrote to memory of 4556	4224	net.exe	94
PID 4284 wrote to memory of 4548	4284	net.exe	95
PID 4224 wrote to memory of 4556	4224	net.exe	94
PID 4284 wrote to memory of 4548	4284	net.exe	95
PID 4232 wrote to memory of 4564	4232	net.exe	93
PID 4232 wrote to memory of 4564	4232	net.exe	93
PID 4232 wrote to memory of 4564	4232	net.exe	93
PID 4276 wrote to memory of 4572	4276	net.exe	92
PID 4276 wrote to memory of 4572	4276	net.exe	92
PID 4276 wrote to memory of 4572	4276	net.exe	92

C:\Users\Admin\AppData\Local\Temp\4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe
"C:\Users\Admin\AppData\Local\Temp\4b058c6cdfa223c3178bc56e3db00a5b6db92c405fdc8ccb9008b83aa5309cd1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\PTaGYlLwZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\PTaGYlLwZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Users\Admin\AppData\Local\Temp\NlVtzkEkNlan.exe
  "C:\Users\Admin\AppData\Local\Temp\NlVtzkEkNlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3716
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1868
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:432
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4556
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4548
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4572

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads