562079bb202157ab3a797f62c6c0b47fbcd8c559b5a00270f02f7f2e839bf81f

General

Target

2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Size

4.9MB
MD5

00c6b4db19a30896da570331ea3fd119
SHA1

cf2a2b0284473815efc6cb9ecd72b4e22cad5c2c
SHA256

562079bb202157ab3a797f62c6c0b47fbcd8c559b5a00270f02f7f2e839bf81f
SHA512

b6d446508d6a38c1d8f5713651611fb4d77259a9ac3df71bc09622c9eea898f21a6f802b5f70f8ccf53df6fb9e4549d80d64c7dba1ca619ba04cad8fbfc38ad3
SSDEEP

98304:PfTi8bQRknxqpBPIWcsLktc/sW5K35JrXH4d9RHmJn:PfZnxEBPIWD6PW8pJz4vRH

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Deletes itself 1 IoCs

pid	Process
2036	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2036	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGMRU	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeSecurityPrivilege	4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeShutdownPrivilege	4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeBackupPrivilege	2036	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeSecurityPrivilege	2036	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Token: SeShutdownPrivilege	2036	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
2036	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 2036	4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe	97
PID 4100 wrote to memory of 2036	4100	2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe	97

C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"
1⤵
- Modifies firewall policy service
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
  "2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"
  2⤵
  - Modifies firewall policy service
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Filesize
2.6MB

MD5
4558f4ca15afc85f3138d6b3c51e07d5

SHA1
9c1f5a922927a11b6550292e075b5fb4dfe06952

SHA256
513c1699ecb83c02bbfa2436e2356db7d692810b8213608dd271296ca6b93289

SHA512
148d2584656121dc0210c55c3c793c8c4f5ce12b59b6e8ebfe1252dd3472646e95017aae9d9d65eaccc93526f9a31a1e6714a858f2ad351c3d769248fb4bd51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe

Filesize
210KB

MD5
9e93dc185fa87982649ace5b38eeb8f3

SHA1
83282fa31153468b0bf97b90e7deca3aaa707c4a

SHA256
8ed6b8fea96e1faf78084719b0ecba5615bd6d05b3bbec662ddf88c8f5e2f031

SHA512
6e3cc38075a32218dcde9ab11d60f006a3e27a4b5bdaa852eed5c9b455ea1602bba6c5e8a5a043c12ebacf7b23fe66ba0790bfb515401c924bb0178f3accd67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.dat

Filesize
12B

MD5
35f4c78ddcf2808dd67d5a20617fd7f0

SHA1
da9a8c19f1e539aee9dd0160b3f06c499f993b8f

SHA256
99eacd1d0c50ee8d0be66fe334ce0cb0a24bbfddf0b2f24360ffdfc1e0151b08

SHA512
a1d64d98e3d361ad223d0b0d402bc632e475cb35064e798736be88a63f3c5e50f69f40d7980bdcff09c74a5cfb9ea8a31c6f9139f8ddef2d5eb56ef44187089a

Download Submit
memory/2036-28-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-26-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-39-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-36-0x00007FF606460000-0x00007FF606957000-memory.dmp

Filesize
5.0MB

Download
memory/2036-33-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-32-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-30-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-27-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-23-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-24-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-19-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-25-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-22-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/2036-21-0x00000274FCC00000-0x00000274FD0FC000-memory.dmp

Filesize
5.0MB

Download
memory/4100-12-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-0-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-20-0x00007FF6007E0000-0x00007FF600CD5000-memory.dmp

Filesize
5.0MB

Download
memory/4100-17-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-14-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-3-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-10-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-4-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-2-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-9-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-1-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-8-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-7-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-6-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download
memory/4100-5-0x0000027E9DBC0000-0x0000027E9E0B8000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads