Overview

overview

10

Static

static

ryuk.exe

windows7-x64

10

ryuk.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    96s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2022 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ryuk.exe

  • Size

    384KB

  • MD5

    5ac0f050f93f86e69026faea1fbb4450

  • SHA1

    9709774fde9ec740ad6fed8ed79903296ca9d571

  • SHA256

    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

  • SHA512

    b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

  • SSDEEP

    6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD

Score
10/10
ryukpersistenceransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1156
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Drops file in Program Files directory
      PID:1108
    • C:\Users\Admin\AppData\Local\Temp\ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\users\Public\HlgEm.exe
        "C:\users\Public\HlgEm.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe
        2⤵
        • Executes dropped EXE
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HlgEm.exe" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:932
          • C:\Windows\system32\reg.exe
            REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HlgEm.exe" /f
            4⤵
            • Adds Run key to start application
            PID:1324
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResumeGrant.wmv"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:15940
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:28724
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x41c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:35144

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac
        Filesize

        71KB

        MD5

        659a873e3705f1f29b3e90847dc59d19

        SHA1

        f509b0d6f6b61ead7a3e0bbc63cef289fe59eacd

        SHA256

        af996c80c23157d76eeeab1f6bed1084b2f5a1d14592989d5e432be99c1244cc

        SHA512

        7093de6e3008563c2bd4bdb98b961d09555ef26ba26723fe091e462bb945e2be853df467c603beed56f0d55925d66b9279bada71223bb243a6aaa5b01fda2d9a

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac
        Filesize

        3KB

        MD5

        9be3465e3848b5f184287f9fa377b18d

        SHA1

        52e0f4337fbe01ac44a8697e9c699ffd8423b26f

        SHA256

        e3c5cfff4579985c39296bfc7d40db65857862cd812705d3e77519f4edc359cb

        SHA512

        af88bd25243b64c730854d58a343bd47bb8a7290ab25217b855bb6aa07d4ada42d3d71e4588e99a7347288fed9061e4d0a61a7db1eb17bde02df539ca43b4cb2

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac
        Filesize

        1KB

        MD5

        b5d18ca82dd4b37db423c13d2c0d5421

        SHA1

        f8e343cf7dcdfd12688a13a76286d45b8152a622

        SHA256

        4147a312dfc5d3322a7ca4bc69e92d80718977544cea908b8393b840f531c6f4

        SHA512

        7554f44d04bc8b98e38a419ef9054b6acd0021dcce27372a4d581521ba7763f9af272ae9d83127c3fcd3c056a199a35225dbee72d2b908e07c0a23202d790778

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac
        Filesize

        4KB

        MD5

        f2dad5a782bac4f149c39b08a71172f0

        SHA1

        2bacf2d7aa05d9911e8935abcb7d28bdc4bd274f

        SHA256

        4c4af8d08a7d095de4f20006c77666023e99ae3917baee6f5f11660414be6668

        SHA512

        8c451e80d757933b3abb5a65243284ffca30c7f97ee5adc0cbaa184b0956a6cc9a3b32e4b90575bdebe8cd96759a4a2a1ac08cd270ca3e7ff12ce55879d1d99a

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac
        Filesize

        1KB

        MD5

        fa882d5fb7f3949e52a6877435619001

        SHA1

        c2c8774a0c817a743dd854808fdc2a97da8b7389

        SHA256

        193470c183be5f04c91ec82b8b46b9a103e20c325d560e60505c6bb0550cbe0d

        SHA512

        f872d7a143c741b53645b3fe4cae3475448b36638528996eb139968920e09bab8cbcfc129b633d50d33e6af0d091209728eb478db1ea19a82e4247de441fc8e2

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac
        Filesize

        1KB

        MD5

        87128a9a20393b63d82a1eab52697215

        SHA1

        65bf41f98e725d9aaf4086d2c725ab2dc323ce88

        SHA256

        ac9935a504e3034ff21f65594bfcd0506e1c45a71dcf91da8c335cf146542666

        SHA512

        5cbb1b8c1f6228a2b05d89458e9eb7826f409891638608877f8f8d40ec71ed7515b1a65332c6b55cf0bf81d4ba1d871182eb566ed82cede96c299d1c75d80b44

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac
        Filesize

        2KB

        MD5

        0c6b0f2c39319ba72d5bd4dc850d357e

        SHA1

        4735ea9e31cfdef00ceae0fadf6a83144a098be4

        SHA256

        c8d8dff3cece98dda6fc1a38075edebc4d4d9e42d9eeca39ca6f5cfb94a18656

        SHA512

        b5ed0247aba81d4f817f324599839635bafb76ad7e5f5a633a638ba3d01f37390eb6ca7c817db31bcf350dbf482f579c619b43249a7403bead4c53c2dfcd2f54

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac
        Filesize

        2KB

        MD5

        df62321f1f71d82c5fba3ab1846e0b21

        SHA1

        8598e7d0c22ae94ab2943b674fb33e1b74c1ee5d

        SHA256

        bac86dc063e6ed1703daf6c3150db0148eedf5da1ad3d605deea131d986c85bb

        SHA512

        6025b786654f0bcc0322fcbc6f8b8a4459fb4057d5cbe781973ea15e4fac6eb9044770ac95ef2eb0c238a655c2a7b6e02420cce050d53940b3340a72b9e29cdf

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac
        Filesize

        4KB

        MD5

        cc3d6acf2948a27750536625cb20d67e

        SHA1

        70e250634c71857a508fe0715f36b24771089e5e

        SHA256

        819421c3042dfb2d4a90837bd73bbb998dc12fface0567307c530b167634fa17

        SHA512

        db5df3743fa72ae6d45027cacfc0d9f87aa153de2cd4099eeb598a14b265747cb03e80909230248fdcae1417c454d461e92025950fcb6f2b3281546417b5d0c1

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac
        Filesize

        1KB

        MD5

        a917152ea8036d40e9cd640665afe17d

        SHA1

        5a96433df460b6769f21a0bf5a1150b99bf5b5f4

        SHA256

        4df562a9f197bc2a48078e76a3be4b83f1d9a710bef977641ea589143eccaa83

        SHA512

        5e4ab9a9594f5075df118ec9d8dfd5cb680b4088631e36e953d1b039d77c3f630a64866f881cc2c19a8602315e666a9d1ca47e61d171ba05cfde7f87b32fbdaa

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac
        Filesize

        5KB

        MD5

        ae078e836ef4e138c28b0be8fcb58f93

        SHA1

        097ad177e777c7653f77cfb2e90acaafe1109153

        SHA256

        8ab03901becfb3646c601e77ecb0c1abe517ba854c9e49ec3147e0b43ae5984c

        SHA512

        a2e1a5f5dfc0fde7df0edde553db8d572252da93d095b9e098ef49ef68e72d906406f816b3e2496eb9ce3c64b55cebb70892400932c066a41c7f6d67cbca1b8a

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac
        Filesize

        3KB

        MD5

        90ddf3555d69f39593679fc09c61d93a

        SHA1

        ee9ea884717a1bbdab023cda2ec6ca2827833ed1

        SHA256

        ab26d628bbdda0aae1059f6bd1572f8bf95a36e0b469fa43c258ea822465f9dc

        SHA512

        0f8c0eaadbc41b7cb001510cac2cd6c37fd33c48098eab627681353bc73f7a550c506dc67024e284fd73cc5c4385056728c4da119ace87441efb6f9c69bff660

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac
        Filesize

        3KB

        MD5

        11b5ae823aa5626a95f6656d80af60a9

        SHA1

        bfb989a8e2422b5cff3553461c7cf8d1c468e332

        SHA256

        ea217df7e54521e6342d4f338c71223418dcc17402bc341d585c8c1f23e3240c

        SHA512

        c1663f9d73503ab479c93f0c903291e27127f6b22ab3201acf64fead87b1b0e590378c37d91766c5f78b9fb4f789dd1ae09a836e2263731d6d5febb11a9bf278

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac
        Filesize

        3KB

        MD5

        b57e687796a333a3afef7d4aa05cfd02

        SHA1

        e4ad6cd69fe088c2b9fb45fc176e5120aa1245b1

        SHA256

        b885aa5354b89e535f67edda564c13adcb010e3ad241fe6e53b554093de1883c

        SHA512

        6efe04b3ad12e63004ce8020b53f32b40c500b600d23bde60f64dcc0a2c0634418e9847da250a53994d0c50e9ec50a4289a9ed5d3cc6a8b755e0125d8ae9c77d

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac
        Filesize

        2KB

        MD5

        777cb17d99ac3f1cb729e98056a2811d

        SHA1

        db3277185ecfae6d7793dd260218fc4831bc1b33

        SHA256

        baf101836289431ca1a5f602deb7ae6565d3cbd11e30a89a34e96a307c1ad3a0

        SHA512

        e13f41b91da13444592b34ce9a91747ece2ddf6e74499268bcba25930056a686e1bc5bec13cfbf60b3208a2abd9a7504ccda3f88b1d3ab7a48eb5e27e04331e5

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac
        Filesize

        2KB

        MD5

        e800489432a8bb8c3f2d0e7e52c7ab7e

        SHA1

        c25e98a24e4b3ae23ba09d12122bbc20f52209ae

        SHA256

        5fec668abdc8b995ff7a0ad4b48bbf8d2a5e10c0d39a448d73805bee66974da9

        SHA512

        4e5d3cc863b2834b3b6c5856bbc05faca74572e917a6de48052a73e1d639d6c51ce9af395b03e56d41fb24abd7d2e74602606f24dc489e97b407682326bd0572

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac
        Filesize

        1KB

        MD5

        fc776c05c6504eac2a2b37998ba2c0d9

        SHA1

        dde0ca26c1d1afe557c0020a9fa12569332c6b16

        SHA256

        234e9bc8d4c60193029b6c42775391b5d64a7702ad687070117b7c725edf60af

        SHA512

        b917ce8abb334b19bc84db652ab2a83db8289b400c4e7784b19868a748f89553a345bf480059c6ca95f58b3ad5815cecdf96d5e8c5000b70797369673614487e

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac
        Filesize

        3KB

        MD5

        1ba6e1d541a1e83f227128e89768e081

        SHA1

        f2fedf03e7ca2de31fbba2c82ab36a889dc1e8c4

        SHA256

        b487686ca1978cd21affd9524a2419ed43ef524ad199db4f5f2e2938f3a877a6

        SHA512

        554f0bc3228478e30774a92e3341c210eb3ab7fa08afa63cf303ac3b32b38c15a48803e9f54688dbc4c77ec1e893cbe50573aec48bb1e1c70b7d3333d780ef4a

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac
        Filesize

        5KB

        MD5

        2b681e45bf7beabede78b2a82abbb2aa

        SHA1

        54cb8e281cec6ad2810070bf6ec90a8ba9d55055

        SHA256

        f70c61ff4352c335d3e19e294baa98f3a5ba6a4ca208e12a6a116e077065cc82

        SHA512

        17d317fab3c8d9cc8fa232cb13cc203743eac816bed4fe6546fc654caf630b4f21a854066734440962b186f1050c2a25931083bff882cf269fe04464cf9c96c7

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac
        Filesize

        3KB

        MD5

        b44bf4e7661f5ab4317e50b6ce58ba3c

        SHA1

        effaf6bbf1422b43d77cd14ace395d4461d61a8d

        SHA256

        9f0909b4fb615f78ded34f4ea92121869663addcc960f8aa0b335e78b9e8d0a0

        SHA512

        440b7dd3ffee1d11849986918d1c2b1aa2b83ca419616462d2b056dbff5a603ee6092dae8eeb784f75d06657aa31af97934c2d3a7ce1e0e270a47eedc9cc76c8

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac
        Filesize

        1KB

        MD5

        6542c779545fef7e792a2431c09045f9

        SHA1

        08d247b73ada981be0e7b02b47e342c1cff0e029

        SHA256

        62fcdc0b97cb8bf4ddeb0465d6be9949bf6915383ebfe34adef8e08e8012bc25

        SHA512

        4394fc3980cf018b921d1a5c2d98e9dd6062f3c8d4a9be71000c4df1a52f74c403e16470b774853ea0f0eb16e6bd302c49509ff8ce4948f18374c514edd7501e

        Download Submit
      • C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac
        Filesize

        13KB

        MD5

        dc4ec50486e61b9241b6f32371b506ae

        SHA1

        ba413a4c71a1b70ee5f483769cb34d10bab5df09

        SHA256

        3b3acaae06fec4624bc64b5625f8a457790f3c3ea9c148dacc1cf8c1b5114cc9

        SHA512

        ba802754b05514c9405d5500284c7021bafb20fc3c1390e37f65d0b8072909faf18f37f1218f4be1ef5ee9445ab7f204cffd917fc34fe803e8aa944bafbd9da4

        Download Submit
      • C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
        Filesize

        303KB

        MD5

        dc631f7ad52dca0e066744467f4b45f4

        SHA1

        8b4aa780d12ff1fa712a50c43dddf310eeeb30ca

        SHA256

        d1158d72d5dbd791cea17a76b86738b1d633ba8dfedb89870df99edcc2f78fcb

        SHA512

        0ab7123642180ad9b456da5830c7ced003ab9cdd84c93801b2f24b82b74ad59bb8428408c8b570858b7ab69247a79fc31ec5adf1670542dbdc92e2387216d520

        Download Submit
      • C:\Users\Admin\Desktop\ResumeGrant.wmv
        Filesize

        533KB

        MD5

        907a7794190479a3cbed7ba994e987b4

        SHA1

        94f0773f2417b4dcb345ab4ddbe782a0dc5e98e3

        SHA256

        4cfbfd2b9b866caa6563716ce146e1dd8e064b61d773aa9f25f2c301d6765346

        SHA512

        19d8a6540f0779838f10381c2a70b18f67ddcca02513bbefc21f45b27c07a3bb0af3d47aec589acd36fc07969f7258c7a2793daa4487b193ef492232ce827064

        Download Submit
      • C:\Users\Public\HlgEm.exe
        Filesize

        170KB

        MD5

        31bd0f224e7e74eee2847f43aae23974

        SHA1

        92e331e1e8ad30538f38dd7ba31386afafa14a58

        SHA256

        8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

        SHA512

        a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

        Download Submit
      • \Users\Public\HlgEm.exe
        Filesize

        170KB

        MD5

        31bd0f224e7e74eee2847f43aae23974

        SHA1

        92e331e1e8ad30538f38dd7ba31386afafa14a58

        SHA256

        8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

        SHA512

        a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

        Download Submit
      • memory/932-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1108-63-0x000000013F9B0000-0x000000013FD3E000-memory.dmp
        Filesize

        3.6MB

        Download
      • memory/1108-60-0x000000013F9B0000-0x000000013FD3E000-memory.dmp
        Filesize

        3.6MB

        Download
      • memory/1108-66-0x000000013F9B0000-0x000000013FD3E000-memory.dmp
        Filesize

        3.6MB

        Download
      • memory/1324-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1952-58-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1952-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1968-54-0x0000000076141000-0x0000000076143000-memory.dmp
        Filesize

        8KB

        Download