ryuk | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTM4OWYz.exe
Size

127KB
MD5

e8673c8a299d1647ead6f3da4565ac54
SHA1

71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256

d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512

90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc
SSDEEP

3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	MTM4OWYz.exe

Executes dropped EXE 3 IoCs

pid	Process
4628	WTChKkIEnlan.exe
1364	UIWtBesmTlan.exe
3476	CegPfucaZlan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3152	icacls.exe
3660	icacls.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\RyukReadMe.html	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	MTM4OWYz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3760	MTM4OWYz.exe
3760	MTM4OWYz.exe
3760	MTM4OWYz.exe
3760	MTM4OWYz.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 4628	3760	MTM4OWYz.exe	90
PID 3760 wrote to memory of 4628	3760	MTM4OWYz.exe	90
PID 3760 wrote to memory of 4628	3760	MTM4OWYz.exe	90
PID 3760 wrote to memory of 1364	3760	MTM4OWYz.exe	91
PID 3760 wrote to memory of 1364	3760	MTM4OWYz.exe	91
PID 3760 wrote to memory of 1364	3760	MTM4OWYz.exe	91
PID 3760 wrote to memory of 3476	3760	MTM4OWYz.exe	92
PID 3760 wrote to memory of 3476	3760	MTM4OWYz.exe	92
PID 3760 wrote to memory of 3476	3760	MTM4OWYz.exe	92
PID 3760 wrote to memory of 3660	3760	MTM4OWYz.exe	94
PID 3760 wrote to memory of 3660	3760	MTM4OWYz.exe	94
PID 3760 wrote to memory of 3660	3760	MTM4OWYz.exe	94
PID 3760 wrote to memory of 3152	3760	MTM4OWYz.exe	93
PID 3760 wrote to memory of 3152	3760	MTM4OWYz.exe	93
PID 3760 wrote to memory of 3152	3760	MTM4OWYz.exe	93

C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe
"C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe
  "C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe
  "C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3152
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
a3334dd1df7dc52149c07a558563272e

SHA1
4a649ab1d9351a619902cec9db452d19f87ed3f0

SHA256
c94a179747b06357d75238398d2b15442009dfe48d7de071df4a7576ce6f96bb

SHA512
7c6d535d61f1b704a8f183a73b188616ad2cf6efb8a7eff93dae8b5716f210fd55b549b5c2dcc6198cf2577b600f7a486784f0db46e06b315a34374d30d627dd

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\odt\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\odt\config.xml.RYK

Filesize
930B

MD5
b01fd9c14c529f6088dabe2e148011bf

SHA1
58b135b018085c326e628475a862a574660ffd41

SHA256
d9b8b59962d60b195dd1e0e58f34e3083f5ecff3d6d33ff0246ac6c08aa8e64a

SHA512
490cabd151372670c4ac568c86e3e0bf5b3b9a53accb769bb880ef86d65cb8fe4d7afbc72cab473e4acd48e1c5b714a820a9c7788b289ace50eef95ef734cb6f

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit