Analysis
-
max time kernel
330s -
max time network
319s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 03:00
Behavioral task
behavioral1
Sample
Ryuk .Net Ransomware Builder.exe
Resource
win7-20240704-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
Ryuk .Net Ransomware Builder.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
Ryuk .Net Ransomware Builder.exe
-
Size
287KB
-
MD5
b20d5ada2e81683bda32aa80cd71c025
-
SHA1
1ab3daa872761d887ef0be9ace528ee323201211
-
SHA256
0d8b4a07e91e02335f600332644e8f0e504f75ab19899a58b2c85ecb0887c738
-
SHA512
94da5ae4e43e6b0fdc8d0a83d8a3f2991a47b6e12f6781cc6aecb2d8d97a2d0da6dc456e3618c1a36697862e1a7a50b27a036b3569f33889452fe921c6981d91
-
SSDEEP
3072:GVgr8/vRx5cCPaEy3YxB+DV0Ugr8/vfx:GSrS/yKrS
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\read_it.txt
Ransom Note
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 5 IoCs
resource yara_rule behavioral1/memory/2388-1-0x0000000000010000-0x000000000005E000-memory.dmp family_chaos behavioral1/files/0x0006000000018b54-12.dat family_chaos behavioral1/files/0x0006000000018f82-20.dat family_chaos behavioral1/memory/844-22-0x0000000000160000-0x000000000016A000-memory.dmp family_chaos behavioral1/memory/1020-28-0x0000000000830000-0x000000000083A000-memory.dmp family_chaos -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 844 dddd.exe 1020 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File created C:\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\Contacts\desktop.ini svchost.exe File created C:\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\Music\desktop.ini svchost.exe File created C:\Users\Admin\Saved Games\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\desktop.ini svchost.exe File created C:\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File created F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini svchost.exe File created C:\Users\Admin\Videos\desktop.ini svchost.exe File created C:\Users\Admin\Links\desktop.ini svchost.exe File created C:\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File created C:\Users\Admin\Searches\desktop.ini svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe Ryuk .Net Ransomware Builder.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe Ryuk .Net Ransomware Builder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "3" Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000 Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Ryuk .Net Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" Ryuk .Net Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Ryuk .Net Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Ryuk .Net Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Ryuk .Net Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Ryuk .Net Ransomware Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Ryuk .Net Ransomware Builder.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Ryuk .Net Ransomware Builder.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Ryuk .Net Ransomware Builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 Ryuk .Net Ransomware Builder.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2068 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1020 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 844 dddd.exe 1020 svchost.exe 1020 svchost.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2388 Ryuk .Net Ransomware Builder.exe 816 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 844 dddd.exe Token: SeDebugPrivilege 1020 svchost.exe Token: SeDebugPrivilege 816 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe 816 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2388 Ryuk .Net Ransomware Builder.exe 2388 Ryuk .Net Ransomware Builder.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2660 2388 Ryuk .Net Ransomware Builder.exe 30 PID 2388 wrote to memory of 2660 2388 Ryuk .Net Ransomware Builder.exe 30 PID 2388 wrote to memory of 2660 2388 Ryuk .Net Ransomware Builder.exe 30 PID 2660 wrote to memory of 2804 2660 csc.exe 32 PID 2660 wrote to memory of 2804 2660 csc.exe 32 PID 2660 wrote to memory of 2804 2660 csc.exe 32 PID 844 wrote to memory of 1020 844 dddd.exe 35 PID 844 wrote to memory of 1020 844 dddd.exe 35 PID 844 wrote to memory of 1020 844 dddd.exe 35 PID 1020 wrote to memory of 2068 1020 svchost.exe 37 PID 1020 wrote to memory of 2068 1020 svchost.exe 37 PID 1020 wrote to memory of 2068 1020 svchost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ryuk .Net Ransomware Builder.exe"C:\Users\Admin\AppData\Local\Temp\Ryuk .Net Ransomware Builder.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2p3uor3\f2p3uor3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB52C.tmp" "c:\Users\Admin\Desktop\CSCB39A415F9C4F44DFA18A801699B89EB1.TMP"3⤵PID:2804
-
-
-
C:\Users\Admin\Desktop\dddd.exe"C:\Users\Admin\Desktop\dddd.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2068
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c83886992cd850a2b57e802f60d2f3c7
SHA1fc8eddeb1da3a7bb6b2b1276c937553f047a731d
SHA2566819ecfc13493bbed510e5c4ab800614e7f5d93cede4796c5c24e1b3ab18f8f4
SHA512cdabd46cd66bfc76e63797a45b95be6130b01f582985571f1ef237abeb7e73149356e33708a9405f41b2537169415f012c426d951648b0575eeb13163f7887df
-
Filesize
15KB
MD52df0d82bbc1627424d2adceae27f1812
SHA161cc42d4b7b0a30e047d02b63271be4565bcc159
SHA2560721fe0a20c3cd84221c2f1cb412c3349bfb06bf73b86292508a159fa8e4fbd6
SHA512f9cf14f2a3d02a0fcec23ac0a77cccc539250337b030fcce2919c1d7931beb8564f050af2e3f863242747eae4205ab0c0d54ae70d128b9a79ee3e67a8339adc0
-
Filesize
877B
MD59814b140eb85668b095096dc0ac32702
SHA127e792330b4526b0f1ccb1eb212f9a80262353fd
SHA2563d3a137cdf8a12a35f67451a8afead595b6281f3de271673606ee80a47de9eb0
SHA5124caa4a28649dd76b4e845e928eb0893ad1a50cd4aaa6d58d3123303dcf07f42379171740a4d2c77ceb854b54c86f3c430ef6429bd5d10ad2b96fbcfef0a4fb13
-
Filesize
18KB
MD5586f17e9f5b8200f4fde447e8072dac5
SHA16a6f9325dbf7b027032f98b13f0897692aab2b2d
SHA2564c85e5a27c2136aa3d32216a6814db744ce86bba526c2fa818d0683f10134971
SHA512020c29eb0e21464fe61b138aa50a7f8371083100a26daa918e32e894a2d1a181118ce750ef73208198af5013f16039c3449c85f2832b0dcb02a25afefdd90601
-
Filesize
330B
MD507a8a51887d17313ce43136f94838573
SHA1bc68b31aa99d83bd58d267443a4b755bff1fac43
SHA2566be145c50b94a1727181b9a1caa87b8c0b51e48bc87935449e9e9d4d827dab10
SHA512b36a6b0325c2219691995b30e398461c55c113f0969f0722a9ef11fe8e2bd11f6069407cb362ad27be7acb1542010dc6e73441bbb5a02d2b3b9f9b34e5a9bff4
-
Filesize
1KB
MD5e804d3c5b28a522b6479f72d9ea12b49
SHA10cda5073274182c3a83e3bfbe1f82627d912b2c3
SHA2561af6647e1296e434e7e5f3864c52d76254ab267223dfebea3a8f9caf5189e1a6
SHA5123ca6b6c3a6f80acd31446e62aef3ec2dc37a644037da26e56ffdb586c16ca61e261e2d111c4650484615c13a2febc87da1110a149aec9846d7e61713efac19d0