ryuk | 9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a

Analysis

max time kernel
43s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
Size

444KB
MD5

1fe2b06f573c1809a79c14da0f26f605
SHA1

dc137d2c45d47d62449860f76f57dd85d34d122e
SHA256

9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a
SHA512

10070abdc4320702b3a76b229a41dc2118ec5bc42af488c5db7d3381f43f38b40f47a7b624ac623c0f8da76e5bb6f7922668ae2af6a1af8c464b82836b6c7ca1

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
1716	AGTfHsO.exe
64	AGTfHsO.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	AGTfHsO.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3872	icacls.exe
1916	icacls.exe
5064	icacls.exe
5072	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 3776	1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	56
PID 1716 set thread context of 64	1716	AGTfHsO.exe	61

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
64	AGTfHsO.exe
64	AGTfHsO.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
1716	AGTfHsO.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
Token: SeBackupPrivilege	64	AGTfHsO.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
1716	AGTfHsO.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3776	1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	56
PID 1364 wrote to memory of 3776	1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	56
PID 1364 wrote to memory of 3776	1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	56
PID 1364 wrote to memory of 3776	1364	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	56
PID 3776 wrote to memory of 1716	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	60
PID 3776 wrote to memory of 1716	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	60
PID 3776 wrote to memory of 1716	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	60
PID 1716 wrote to memory of 64	1716	AGTfHsO.exe	61
PID 1716 wrote to memory of 64	1716	AGTfHsO.exe	61
PID 1716 wrote to memory of 64	1716	AGTfHsO.exe	61
PID 1716 wrote to memory of 64	1716	AGTfHsO.exe	61
PID 3776 wrote to memory of 3088	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	62
PID 3776 wrote to memory of 3088	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	62
PID 3776 wrote to memory of 3088	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	62
PID 3776 wrote to memory of 1144	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	64
PID 3776 wrote to memory of 1144	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	64
PID 3776 wrote to memory of 1144	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	64
PID 3088 wrote to memory of 2568	3088	net.exe	66
PID 3088 wrote to memory of 2568	3088	net.exe	66
PID 3088 wrote to memory of 2568	3088	net.exe	66
PID 1144 wrote to memory of 2732	1144	net.exe	67
PID 1144 wrote to memory of 2732	1144	net.exe	67
PID 1144 wrote to memory of 2732	1144	net.exe	67
PID 3776 wrote to memory of 3872	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	69
PID 3776 wrote to memory of 3872	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	69
PID 3776 wrote to memory of 3872	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	69
PID 3776 wrote to memory of 1916	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	71
PID 3776 wrote to memory of 1916	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	71
PID 3776 wrote to memory of 1916	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	71
PID 3776 wrote to memory of 3876	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	73
PID 3776 wrote to memory of 3876	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	73
PID 3776 wrote to memory of 3876	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	73
PID 3776 wrote to memory of 1844	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	75
PID 3776 wrote to memory of 1844	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	75
PID 3776 wrote to memory of 1844	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	75
PID 1844 wrote to memory of 4052	1844	net.exe	77
PID 1844 wrote to memory of 4052	1844	net.exe	77
PID 1844 wrote to memory of 4052	1844	net.exe	77
PID 3776 wrote to memory of 3908	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	78
PID 3776 wrote to memory of 3908	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	78
PID 3776 wrote to memory of 3908	3776	9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe	78
PID 3908 wrote to memory of 4120	3908	net.exe	80
PID 3908 wrote to memory of 4120	3908	net.exe	80
PID 3908 wrote to memory of 4120	3908	net.exe	80
PID 64 wrote to memory of 5064	64	AGTfHsO.exe	82
PID 64 wrote to memory of 5064	64	AGTfHsO.exe	82
PID 64 wrote to memory of 5064	64	AGTfHsO.exe	82
PID 64 wrote to memory of 5072	64	AGTfHsO.exe	83
PID 64 wrote to memory of 5072	64	AGTfHsO.exe	83
PID 64 wrote to memory of 5072	64	AGTfHsO.exe	83
PID 64 wrote to memory of 5080	64	AGTfHsO.exe	84
PID 64 wrote to memory of 5080	64	AGTfHsO.exe	84
PID 64 wrote to memory of 5080	64	AGTfHsO.exe	84
PID 64 wrote to memory of 5076	64	AGTfHsO.exe	89
PID 64 wrote to memory of 5076	64	AGTfHsO.exe	89
PID 64 wrote to memory of 5076	64	AGTfHsO.exe	89
PID 5076 wrote to memory of 5136	5076	net.exe	91
PID 5076 wrote to memory of 5136	5076	net.exe	91
PID 5076 wrote to memory of 5136	5076	net.exe	91

C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
"C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe
  "C:\Users\Admin\AppData\Local\Temp\9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\AGTfHsO.exe
    "C:\Users\Admin\AppData\Local\Temp\AGTfHsO.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\AGTfHsO.exe
      "C:\Users\Admin\AppData\Local\Temp\AGTfHsO.exe" 8 LAN
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:5064
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "D:\*" /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
        5⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:69540
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:70344
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop "samss" /y
        5⤵
        
        PID:148640
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "samss" /y
        6⤵
        
        PID:149292
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3872
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:4052
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:51088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:52212
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:52740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:51088
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:141672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:143264
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:142892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:143464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-143-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download
memory/1364-130-0x00000000005A0000-0x00000000005D7000-memory.dmp

Filesize
220KB

Download
memory/1364-134-0x0000000000550000-0x0000000000585000-memory.dmp

Filesize
212KB

Download
memory/1716-138-0x0000000002200000-0x0000000002237000-memory.dmp

Filesize
220KB

Download
memory/3776-135-0x0000000030000000-0x0000000030172000-memory.dmp

Filesize
1.4MB

Download