ryuk | 11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0

Analysis

max time kernel
4294206s
max time network
121s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
Size

122KB
MD5

bd0d931b21e4d8f85cea56b3e17b5f49
SHA1

e0c604bcf4dc48f5929d382f7af84b157ceb87db
SHA256

11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0
SHA512

a6d6f736e4b86e3544ede2b0a285639a20295de75b26b606add66504d7e238ae2439e6d9549bc0cd13cd8ff6917a481fb275761991444d70497a27c10f368d29

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1676	icacls.exe
1348	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayman	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.policy	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086424.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105360.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241037.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01849_.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msaddsr.dll.mui	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105502.WMF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Flash.mpp	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\RyukReadMe.html	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1676	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	29
PID 1796 wrote to memory of 1676	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	29
PID 1796 wrote to memory of 1676	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	29
PID 1796 wrote to memory of 1676	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	29
PID 1796 wrote to memory of 1348	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	31
PID 1796 wrote to memory of 1348	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	31
PID 1796 wrote to memory of 1348	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	31
PID 1796 wrote to memory of 1348	1796	11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe	31

C:\Users\Admin\AppData\Local\Temp\11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe
"C:\Users\Admin\AppData\Local\Temp\11a6f8c683b66a650f39b56daeaf4c826a8661805d5556bed5f2ee2de46e3ef0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1676
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-54-0x0000000075CC1000-0x0000000075CC3000-memory.dmp

Filesize
8KB

Download