f81dcb0c4e066d914fb489331a2e7ba7e6036a23a887a2e979c9f8bb9735f6be

General

Target

2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Size

4.9MB
MD5

100df7e482ba8ae971b6b672d4371e04
SHA1

c981257b0cb79811690453eee6e197bc06ebecb5
SHA256

f81dcb0c4e066d914fb489331a2e7ba7e6036a23a887a2e979c9f8bb9735f6be
SHA512

dc2169087b790a3aacd64564c683874fad04eb702138285e7685e7079fdcea36d9cea022f54ce307a473fe2da9d0709bba0993843b88d74c07cd24c3e3c899a4
SSDEEP

98304:Kv3vuL2Y21b4MmrthsZFix0J4J/YzlvM:M3vuCYf/rthsDU0zlvM

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Deletes itself 1 IoCs

pid	Process
2008	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGMRU	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeSecurityPrivilege	2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeShutdownPrivilege	2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeBackupPrivilege	2008	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeSecurityPrivilege	2008	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeShutdownPrivilege	2008	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
2008	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2008	2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe	28
PID 2144 wrote to memory of 2008	2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe	28
PID 2144 wrote to memory of 2008	2144	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe"
1⤵
- Modifies firewall policy service
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
  "2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe"
  2⤵
  - Modifies firewall policy service
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Filesize
512KB

MD5
af8333488115dc47a6bf55af04449137

SHA1
c034157a45c49a88c1bacd98c27cd2adb557c6f7

SHA256
0825b7870225d5a882eba6362dd51304e8c0ee899e139a3fdaabf789651a3288

SHA512
bc6249c838b2961808921e2675b61cc119fadffbe5f25f1e22bb423bc94813c0bf0fbb3531a3f2831b50bc1f51cbb865affb7cb5a5b1ea069a35c363a8430557

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Filesize
2.6MB

MD5
e83b88637169ce7b18eeb8884a3b2d5d

SHA1
27ce0aa554a3c7e0ebb2611348fb6819292a9ead

SHA256
5c408e16a8a0d6a65b25806e4ea2124cdb6c3f9fdaf2a5072ef489b8486c82c9

SHA512
8100b7f7e5a0ea4149a264ddeaf0c655e832cb4d6e27e9190577ac75865631f67adc99e9157b4073f5fe33a86ceebd2ac769cd33d993c6052e79481924ce17fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.dat

Filesize
12B

MD5
35f4c78ddcf2808dd67d5a20617fd7f0

SHA1
da9a8c19f1e539aee9dd0160b3f06c499f993b8f

SHA256
99eacd1d0c50ee8d0be66fe334ce0cb0a24bbfddf0b2f24360ffdfc1e0151b08

SHA512
a1d64d98e3d361ad223d0b0d402bc632e475cb35064e798736be88a63f3c5e50f69f40d7980bdcff09c74a5cfb9ea8a31c6f9139f8ddef2d5eb56ef44187089a

Download Submit
memory/2008-43-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-37-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-69-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-67-0x000000013FB30000-0x0000000140026000-memory.dmp

Filesize
5.0MB

Download
memory/2008-59-0x000007FFFFFA0000-0x000007FFFFFB0000-memory.dmp

Filesize
64KB

Download
memory/2008-57-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-45-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-46-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-41-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-40-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-39-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-38-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-36-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-32-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-34-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2008-35-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2144-30-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-28-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-3-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-25-0x000000013F0D0000-0x000000013F5C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-13-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-12-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-11-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-2-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-0-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-4-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-1-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-10-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-9-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-8-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-7-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-6-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download
memory/2144-5-0x0000000001FC0000-0x00000000024B7000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads