f81dcb0c4e066d914fb489331a2e7ba7e6036a23a887a2e979c9f8bb9735f6be

General

Target

2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Size

4.9MB
MD5

100df7e482ba8ae971b6b672d4371e04
SHA1

c981257b0cb79811690453eee6e197bc06ebecb5
SHA256

f81dcb0c4e066d914fb489331a2e7ba7e6036a23a887a2e979c9f8bb9735f6be
SHA512

dc2169087b790a3aacd64564c683874fad04eb702138285e7685e7079fdcea36d9cea022f54ce307a473fe2da9d0709bba0993843b88d74c07cd24c3e3c899a4
SSDEEP

98304:Kv3vuL2Y21b4MmrthsZFix0J4J/YzlvM:M3vuCYf/rthsDU0zlvM

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Deletes itself 1 IoCs

pid	Process
948	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
948	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGMRU	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeSecurityPrivilege	4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeShutdownPrivilege	4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeBackupPrivilege	948	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeSecurityPrivilege	948	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
Token: SeShutdownPrivilege	948	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
948	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 948	4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe	100
PID 4468 wrote to memory of 948	4468	2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe"
1⤵
- Modifies firewall policy service
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe
  "2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe"
  2⤵
  - Modifies firewall policy service
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Filesize
1.9MB

MD5
9511ab05f3633f3bfff9ae4ad6df5a0f

SHA1
ae05a40598f6e9a809f533f1294dee85764b873c

SHA256
a60b46d2871cb5e97104362a92023267cd989fb464f5717dabaaabf775c80cb4

SHA512
e25ba285a6744a54c8900784a2208621fbd2160268b4e7ea068fe61be6446caf16030000613594e7ff21b7e09f976e9caaa67f2df41bfe9fd83823dbceb63403

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-19_100df7e482ba8ae971b6b672d4371e04_ryuk.exe

Filesize
792KB

MD5
f793510b7d2c7df5ec6a11925429457a

SHA1
5263761a182e50fb467389ffb1de477475163d89

SHA256
5013079678e676c8faad849d96047bec6bcf96e779797c46c1ab5843e639a4c9

SHA512
66ff6f454228409dce08c5d60fe52d84778b6698c469ef5f8300f971bf86c91ff9f611ff46d01c7d2f81d134f981d654bc7e3d9e167b7aa2683469febaf0a5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.dat

Filesize
12B

MD5
35f4c78ddcf2808dd67d5a20617fd7f0

SHA1
da9a8c19f1e539aee9dd0160b3f06c499f993b8f

SHA256
99eacd1d0c50ee8d0be66fe334ce0cb0a24bbfddf0b2f24360ffdfc1e0151b08

SHA512
a1d64d98e3d361ad223d0b0d402bc632e475cb35064e798736be88a63f3c5e50f69f40d7980bdcff09c74a5cfb9ea8a31c6f9139f8ddef2d5eb56ef44187089a

Download Submit
memory/948-29-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-24-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-39-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-37-0x00007FF6BAC80000-0x00007FF6BB176000-memory.dmp

Filesize
5.0MB

Download
memory/948-35-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-34-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-33-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-31-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-21-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-23-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-26-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-27-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-25-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-20-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/948-28-0x0000020B161B0000-0x0000020B166AD000-memory.dmp

Filesize
5.0MB

Download
memory/4468-10-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-9-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-19-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-3-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-15-0x00007FF764100000-0x00007FF7645F2000-memory.dmp

Filesize
4.9MB

Download
memory/4468-4-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-2-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-0-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-13-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-1-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-12-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-8-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-7-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-6-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download
memory/4468-5-0x00000211A4970000-0x00000211A4E66000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads