94717ff72ab2c2465df984bed7d3c81e0625ae27324f59e0aed6b5f9e428c3ef

General

Target

2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Size

4.9MB
MD5

af5d43475fb5a2cfb98d359d08df7fd1
SHA1

af757310b7d75513842e7b05d9ebe0855c88ee00
SHA256

94717ff72ab2c2465df984bed7d3c81e0625ae27324f59e0aed6b5f9e428c3ef
SHA512

4767b0407fb5cb617f56bcfc35863ae0537e06563bbd213b401c068053326092e4e9d1186f6702827fb547046c7c848f7fa07ddd78f235b6e0ccd25d2bc9df8e
SSDEEP

98304:KAsskRAdKvmGy0cljyi9vzlVkOekp/ekPjqgBE0d:OskRM3U0BV4kYmqQ9

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Deletes itself 1 IoCs

pid	Process
2600	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGMRU	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Token: SeSecurityPrivilege	1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Token: SeShutdownPrivilege	1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Token: SeBackupPrivilege	2600	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Token: SeSecurityPrivilege	2600	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
Token: SeShutdownPrivilege	2600	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
2600	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2600	1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe	28
PID 1540 wrote to memory of 2600	1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe	28
PID 1540 wrote to memory of 2600	1540	2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe"
1⤵
- Modifies firewall policy service
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe
  "2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe"
  2⤵
  - Modifies firewall policy service
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Filesize
1.3MB

MD5
09d16370f92906e1a534ac2475a353ac

SHA1
c62f5162e6ac57e789cdee209904bdbd303c671a

SHA256
3b10894413b49fea4f02e49bc00a02aa6620cc6222a9171022668aaeceeb8a4f

SHA512
56639b8e83335c2e0c2f92c8aaf73ad720742179ba0aba61dfd342520740ef146bc9f06ffb38a932b1e08c9b8280da7760f25d49a096783f74be2a7cad1815ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-28_af5d43475fb5a2cfb98d359d08df7fd1_ryuk.exe

Filesize
1.0MB

MD5
3b5cb38dae23f3d0e7fcef07392910c8

SHA1
2efee09a5af95151900761eb7366a5dc913dd0a0

SHA256
9ad4ccbede5f41fb591bec3db68a53d4a5c78c78846b49446850242a74a37936

SHA512
0412685e303d720118e023b2e5aa0bdaf4e8e8a62037ed1f35f2459fba52792820b41694b24070e5cd39a3b20287611f1dcb3179a024f981aae191a1c5772aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.dat

Filesize
12B

MD5
35f4c78ddcf2808dd67d5a20617fd7f0

SHA1
da9a8c19f1e539aee9dd0160b3f06c499f993b8f

SHA256
99eacd1d0c50ee8d0be66fe334ce0cb0a24bbfddf0b2f24360ffdfc1e0151b08

SHA512
a1d64d98e3d361ad223d0b0d402bc632e475cb35064e798736be88a63f3c5e50f69f40d7980bdcff09c74a5cfb9ea8a31c6f9139f8ddef2d5eb56ef44187089a

Download Submit
memory/1540-9-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-29-0x000000013F430000-0x000000013F921000-memory.dmp

Filesize
4.9MB

Download
memory/1540-5-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-6-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-8-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-0-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-7-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-10-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-11-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-12-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-2-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-1-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-27-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-3-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/1540-4-0x0000000001E00000-0x00000000022F5000-memory.dmp

Filesize
5.0MB

Download
memory/2600-28-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-35-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-31-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-34-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-36-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-37-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-32-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-30-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-40-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-33-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-41-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-42-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-51-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download
memory/2600-54-0x000007FFFFFA0000-0x000007FFFFFB0000-memory.dmp

Filesize
64KB

Download
memory/2600-63-0x000000013F5A0000-0x000000013FA90000-memory.dmp

Filesize
4.9MB

Download
memory/2600-65-0x0000000001FA0000-0x0000000002495000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads