562079bb202157ab3a797f62c6c0b47fbcd8c559b5a00270f02f7f2e839bf81f

General

Target

2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Size

4.9MB
MD5

00c6b4db19a30896da570331ea3fd119
SHA1

cf2a2b0284473815efc6cb9ecd72b4e22cad5c2c
SHA256

562079bb202157ab3a797f62c6c0b47fbcd8c559b5a00270f02f7f2e839bf81f
SHA512

b6d446508d6a38c1d8f5713651611fb4d77259a9ac3df71bc09622c9eea898f21a6f802b5f70f8ccf53df6fb9e4549d80d64c7dba1ca619ba04cad8fbfc38ad3
SSDEEP

98304:PfTi8bQRknxqpBPIWcsLktc/sW5K35JrXH4d9RHmJn:PfZnxEBPIWD6PW8pJz4vRH

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Deletes itself 1 IoCs

pid	Process
2748	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGMRU	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeSecurityPrivilege	2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeShutdownPrivilege	2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeBackupPrivilege	2748	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeSecurityPrivilege	2748	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeShutdownPrivilege	2748	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
2748	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2748	2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe	28
PID 2184 wrote to memory of 2748	2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe	28
PID 2184 wrote to memory of 2748	2184	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"
1⤵
- Modifies firewall policy service
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
  "2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"
  2⤵
  - Modifies firewall policy service
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Filesize
3.4MB

MD5
63167dbb70348b04efe5ea6fa0def24e

SHA1
4d6269c0e84b200a14d7eae5f70ed9fd8d7e3726

SHA256
04b4c2b721054628362070abbbf12844150cc457afdf9bf9bc1150e85d104765

SHA512
079ca19c103475f44eee6411509e0d5b61b0c9f287694851761b96b0c45fb7e8cefab2339097b427e19b9e8caf1018462c7985993225c9325b5f76fd280e4408

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Filesize
1.8MB

MD5
8484f95e364c475b7c41e6b178c7868b

SHA1
e860dd00ca257f9f545a79f5bcf102f6b13bfc2e

SHA256
e12d6d268987a13a05b06525b4e9fb5045c50de3b7a824ef344f34a9f03c64bd

SHA512
300578dfb83a6d4ab84267ebfacd144d672186d7d72c3ea0b453cc53050ce33e4cfb9b4f53a7d9d1dcc362c327098a52568ba6837598ff2c48e0ddef04bd4dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.dat

Filesize
12B

MD5
35f4c78ddcf2808dd67d5a20617fd7f0

SHA1
da9a8c19f1e539aee9dd0160b3f06c499f993b8f

SHA256
99eacd1d0c50ee8d0be66fe334ce0cb0a24bbfddf0b2f24360ffdfc1e0151b08

SHA512
a1d64d98e3d361ad223d0b0d402bc632e475cb35064e798736be88a63f3c5e50f69f40d7980bdcff09c74a5cfb9ea8a31c6f9139f8ddef2d5eb56ef44187089a

Download Submit
memory/2184-8-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-10-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-5-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-6-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-7-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-3-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-9-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-4-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-12-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-13-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-27-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-2-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-30-0x000000013F410000-0x000000013F905000-memory.dmp

Filesize
5.0MB

Download
memory/2184-0-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2184-1-0x0000000001C00000-0x00000000020FB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-29-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-33-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-34-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-35-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-36-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-37-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-38-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-40-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-32-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-31-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-42-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-43-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-54-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download
memory/2748-55-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/2748-64-0x000000013F960000-0x000000013FE57000-memory.dmp

Filesize
5.0MB

Download
memory/2748-66-0x0000000001CC0000-0x00000000021BB000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads