ryuk | 00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
02-03-2022 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Size

448KB
MD5

bf7b854542cfa423dee3b7233c4a255e
SHA1

a9b09989972cc063b34c4afcd82ebe9203d61be2
SHA256

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
SHA512

147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 39164 created 2604	39164	WerFault.exe	60

Executes dropped EXE 2 IoCs

pid	Process
3312	EBGTKjo.exe
2604	EBGTKjo.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	EBGTKjo.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3372	icacls.exe
3928	icacls.exe
1508	icacls.exe
3448	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3756 set thread context of 2988	3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	58
PID 3312 set thread context of 2604	3312	EBGTKjo.exe	60

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
40468	2604	WerFault.exe	60

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2604	EBGTKjo.exe
2604	EBGTKjo.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
40468	WerFault.exe
40468	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3312	EBGTKjo.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
Token: SeBackupPrivilege	2604	EBGTKjo.exe
Token: SeRestorePrivilege	40468	WerFault.exe
Token: SeBackupPrivilege	40468	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
3312	EBGTKjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 2988	3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	58
PID 3756 wrote to memory of 2988	3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	58
PID 3756 wrote to memory of 2988	3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	58
PID 3756 wrote to memory of 2988	3756	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	58
PID 2988 wrote to memory of 3312	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	59
PID 2988 wrote to memory of 3312	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	59
PID 2988 wrote to memory of 3312	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	59
PID 3312 wrote to memory of 2604	3312	EBGTKjo.exe	60
PID 3312 wrote to memory of 2604	3312	EBGTKjo.exe	60
PID 3312 wrote to memory of 2604	3312	EBGTKjo.exe	60
PID 3312 wrote to memory of 2604	3312	EBGTKjo.exe	60
PID 2988 wrote to memory of 808	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	61
PID 2988 wrote to memory of 808	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	61
PID 2988 wrote to memory of 808	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	61
PID 2988 wrote to memory of 384	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	63
PID 2988 wrote to memory of 384	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	63
PID 2988 wrote to memory of 384	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	63
PID 384 wrote to memory of 3656	384	net.exe	66
PID 384 wrote to memory of 3656	384	net.exe	66
PID 384 wrote to memory of 3656	384	net.exe	66
PID 808 wrote to memory of 2640	808	net.exe	65
PID 808 wrote to memory of 2640	808	net.exe	65
PID 808 wrote to memory of 2640	808	net.exe	65
PID 2988 wrote to memory of 1508	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	70
PID 2988 wrote to memory of 1508	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	70
PID 2988 wrote to memory of 1508	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	70
PID 2988 wrote to memory of 3448	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	71
PID 2988 wrote to memory of 3448	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	71
PID 2988 wrote to memory of 3448	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	71
PID 2988 wrote to memory of 4076	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	73
PID 2988 wrote to memory of 4076	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	73
PID 2988 wrote to memory of 4076	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	73
PID 2988 wrote to memory of 2632	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	76
PID 2988 wrote to memory of 2632	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	76
PID 2988 wrote to memory of 2632	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	76
PID 2988 wrote to memory of 3260	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	78
PID 2988 wrote to memory of 3260	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	78
PID 2988 wrote to memory of 3260	2988	00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe	78
PID 2632 wrote to memory of 4260	2632	net.exe	80
PID 2632 wrote to memory of 4260	2632	net.exe	80
PID 2632 wrote to memory of 4260	2632	net.exe	80
PID 3260 wrote to memory of 4376	3260	net.exe	81
PID 3260 wrote to memory of 4376	3260	net.exe	81
PID 3260 wrote to memory of 4376	3260	net.exe	81
PID 2604 wrote to memory of 3372	2604	EBGTKjo.exe	82
PID 2604 wrote to memory of 3372	2604	EBGTKjo.exe	82
PID 2604 wrote to memory of 3372	2604	EBGTKjo.exe	82
PID 2604 wrote to memory of 3928	2604	EBGTKjo.exe	84
PID 2604 wrote to memory of 3928	2604	EBGTKjo.exe	84
PID 2604 wrote to memory of 3928	2604	EBGTKjo.exe	84
PID 2604 wrote to memory of 2652	2604	EBGTKjo.exe	83
PID 2604 wrote to memory of 2652	2604	EBGTKjo.exe	83
PID 2604 wrote to memory of 2652	2604	EBGTKjo.exe	83
PID 2604 wrote to memory of 3380	2604	EBGTKjo.exe	88
PID 2604 wrote to memory of 3380	2604	EBGTKjo.exe	88
PID 2604 wrote to memory of 3380	2604	EBGTKjo.exe	88
PID 2604 wrote to memory of 5092	2604	EBGTKjo.exe	91
PID 2604 wrote to memory of 5092	2604	EBGTKjo.exe	91
PID 2604 wrote to memory of 5092	2604	EBGTKjo.exe	91
PID 3380 wrote to memory of 5112	3380	net.exe	93
PID 3380 wrote to memory of 5112	3380	net.exe	93
PID 3380 wrote to memory of 5112	3380	net.exe	93
PID 5092 wrote to memory of 5068	5092	net.exe	94
PID 5092 wrote to memory of 5068	5092	net.exe	94

C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
"C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe
  "C:\Users\Admin\AppData\Local\Temp\00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\EBGTKjo.exe
    "C:\Users\Admin\AppData\Local\Temp\EBGTKjo.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\EBGTKjo.exe
      "C:\Users\Admin\AppData\Local\Temp\EBGTKjo.exe" 8 LAN
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "D:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:3928
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        6⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 6764
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:40468
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:3656
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:4260
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:40764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:40812
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:40852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:40904
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:85808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:87100
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:86236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:87116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2604 -ip 2604
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:39164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-141-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/2988-134-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/3756-130-0x00000000023C0000-0x00000000023F8000-memory.dmp

Filesize
224KB

Download
memory/3756-133-0x0000000002380000-0x00000000023B6000-memory.dmp

Filesize
216KB

Download