ryuk | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

Analysis

max time kernel
120s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91736.exe
Size

127KB
MD5

e8673c8a299d1647ead6f3da4565ac54
SHA1

71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256

d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512

90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc
SSDEEP

3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

91736.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 91736.exe
Executes dropped EXE 2 IoCs

Processes:

aBasDiheflan.exegLvFRYaJplan.exe

pid process

2804 aBasDiheflan.exe
1520 gLvFRYaJplan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4816 icacls.exe
1036 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	91736.exe

pid	process
2804	aBasDiheflan.exe
1520	gLvFRYaJplan.exe

pid	process
4816	icacls.exe
1036	icacls.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

91736.exe

description	pid	process	target process
PID 1264 wrote to memory of 2804	1264	91736.exe	aBasDiheflan.exe
PID 1264 wrote to memory of 2804	1264	91736.exe	aBasDiheflan.exe
PID 1264 wrote to memory of 2804	1264	91736.exe	aBasDiheflan.exe
PID 1264 wrote to memory of 1520	1264	91736.exe	gLvFRYaJplan.exe
PID 1264 wrote to memory of 1520	1264	91736.exe	gLvFRYaJplan.exe
PID 1264 wrote to memory of 1520	1264	91736.exe	gLvFRYaJplan.exe

C:\Users\Admin\AppData\Local\Temp\91736.exe
"C:\Users\Admin\AppData\Local\Temp\91736.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe
  "C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe
  "C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe
  "C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe" 8 LAN
  2⤵
  PID:2696
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4816
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
95cdf2269bdbf6ccdc336d698fe7e61c

SHA1
267506c0edb3f74a418263d87b12306cda600275

SHA256
5d924eb8b526e99d9c2685832807bfc35537d5724184e073d6dde13c4c1bc7fe

SHA512
dc42c959725c030767398cb280ba3289fb141e1046e977581744ca773188a3007807d9a948830e082249b34b0581868aeb279f7a4ffdc22e43ad78d63aa26058

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\odt\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\odt\config.xml.RYK

Filesize
930B

MD5
20fa81c3a561a9e642e350fdc0e694c7

SHA1
052cb273e3a55be73348f90289a67f80cc1eed51

SHA256
4054e7f64df7f9a4022a65ee801229c221673e9ef9bfc1519a2cc8a818d8c637

SHA512
105987525461e61baf86e464ec63d0c0b4a01c30df1be132c189fb0ca4b695414a406bdbfa2878b3ae33c04763720549581aae82a6d4378742c4761d710f1d0b

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit