9673fd7dd5945f643996dd58e2ff4a178f536a8f69ad17d29b47319728a8ec67

General

Target

2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
Size

3.1MB
MD5

d0cceb5de3b6abf673d4939e7383d129
SHA1

12f9befb0b50b188c5c6067b3f0079864ae16c56
SHA256

9673fd7dd5945f643996dd58e2ff4a178f536a8f69ad17d29b47319728a8ec67
SHA512

44b63cc1a990385e54676f428d944fe2cb9b8accde7e887103279f809950cefd975cc561365cec59846905497b15c4cd436cd8cf8de50e019ff296ecdc8cafff
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCz:eEtl9mRda12sX7hKB8NIyXbacAfY

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\E:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\H:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\I:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\J:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\P:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\F:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\S:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\W:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\Q:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\Y:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\Z:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\A:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\K:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\L:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\M:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\N:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\V:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\X:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\B:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\G:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\O:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\T:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened (read-only)	\??\U:	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1988	2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini.exe

Filesize
3.1MB

MD5
6fe46c989f9126973565ef006dd1013a

SHA1
3c8ff335c3775c2ea7fbf4c070cd6949044ec4a1

SHA256
6f26c9fb38eec34daed94cc8ed02b7b1193694c8fa4d3d23d16ee12daeedbdf1

SHA512
0a81674ce02ed585d72f6f6d62375875ecd9cae6a15313931b028273585b36a13f9467336f15610e031292b28a05cb98eb812f74330c9ad25b95190028c97b77

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
3.9MB

MD5
e726be3e0db1907cd681b4570066063e

SHA1
130b1e4bc66f5ffbe7f820fb0fc3d7a02d23daa0

SHA256
8df37308d1d3369d3f1ed362cf1a600c7bf0acf0d9cedd1d5c42ec44f36b4102

SHA512
b4163a6e041a7f4ae55c4c9ff2f9952b20aa107e840e7cf26994e6f99762b08f28d98beb52ae3cc821f88f9f894dfc30660e9dd93f22ab1de7fcf828face6f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dcc40f9ec19d5839e03c53a64174f255

SHA1
35860cfcd66dce069fd1033a375f545f054437d9

SHA256
9d027c2833264e5e69cb73c3cace5b8667cf5857da44256fd0f2cdf823a1a868

SHA512
06a2b94b56a9720ce2868fce8c14fffdfd81ac091f17be638c8761dbcb444281a51c71d4c65a473bb8182c0c908f5275819d5d61222f576e4e9ff733ece2e5b1

Download Submit
memory/1988-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1988-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1988-106-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1988-107-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads