26f90bcfd6a4439369da73ceebea471fdc8d5cdaca9c1ce260b43b3410ef77d2

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe
Size

161KB
MD5

b955a003f7365e8c50687d0901d9dbf8
SHA1

760314c901d81a85f74213185d2a28eec4f2007b
SHA256

26f90bcfd6a4439369da73ceebea471fdc8d5cdaca9c1ce260b43b3410ef77d2
SHA512

50395286d5b5e65538cfb7c15c46cb5c718ea106571fe6700c123e3e974dd6a5520971699daa0c4b762f2e1e5d9e334b37fac2260e8f2b84abed8a4cb8b03061
SSDEEP

3072:DzpdNvL55JguE/075wkp/rJWT2fmFSYaz86VFbBBJfq9YaQ6OvL8:HT955Jxi07T5rJBfmI0X

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 3 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exe

pid	Process
5108	icacls.exe
3964	takeown.exe
4868	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exe

pid	Process
3964	takeown.exe
4868	icacls.exe
5108	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

Processes:

2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

description	ioc	Process
File created	C:\Windows\system32\termsrv.dll	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

Processes:

2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

description	ioc	Process
File created	C:\Windows\system32\termsrv.dll	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
2376	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4544	timeout.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
3700	taskkill.exe
2284	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

takeown.exetaskkill.exetaskkill.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	3964	takeown.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.execmd.execmd.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 4520 wrote to memory of 4692	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	83
PID 4520 wrote to memory of 4692	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	83
PID 4520 wrote to memory of 3964	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	85
PID 4520 wrote to memory of 3964	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	85
PID 4520 wrote to memory of 4868	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	87
PID 4520 wrote to memory of 4868	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	87
PID 4520 wrote to memory of 5108	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	89
PID 4520 wrote to memory of 5108	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	89
PID 4520 wrote to memory of 2656	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	91
PID 4520 wrote to memory of 2656	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	91
PID 2656 wrote to memory of 2820	2656	cmd.exe	93
PID 2656 wrote to memory of 2820	2656	cmd.exe	93
PID 2820 wrote to memory of 2376	2820	cmd.exe	94
PID 2820 wrote to memory of 2376	2820	cmd.exe	94
PID 2656 wrote to memory of 3692	2656	cmd.exe	95
PID 2656 wrote to memory of 3692	2656	cmd.exe	95
PID 3692 wrote to memory of 3700	3692	cmd.exe	96
PID 3692 wrote to memory of 3700	3692	cmd.exe	96
PID 4520 wrote to memory of 2284	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	98
PID 4520 wrote to memory of 2284	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	98
PID 4520 wrote to memory of 3640	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	100
PID 4520 wrote to memory of 3640	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	100
PID 3640 wrote to memory of 3736	3640	net.exe	102
PID 3640 wrote to memory of 3736	3640	net.exe	102
PID 4520 wrote to memory of 4196	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	103
PID 4520 wrote to memory of 4196	4520	2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe	103
PID 4196 wrote to memory of 4544	4196	cmd.exe	105
PID 4196 wrote to memory of 4544	4196	cmd.exe	105
PID 4196 wrote to memory of 2368	4196	cmd.exe	109
PID 4196 wrote to memory of 2368	4196	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies termsrv.dll
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SYSTEM32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Terminal server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  2⤵
  PID:4692
- C:\Windows\SYSTEM32\takeown.exe
  takeown /F "C:\Windows\system32\termsrv.dll"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\SYSTEM32\icacls.exe
  icacls "C:\Windows\system32\termsrv.dll" /grant Administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4868
- C:\Windows\SYSTEM32\icacls.exe
  icacls "C:\Windows\system32\termsrv.dll" /grant "Admin":F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Kill.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc queryex termservice
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\sc.exe
      sc queryex termservice
      4⤵
      Launches sc.exe
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /pid 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\system32\taskkill.exe
      taskkill /pid 0 /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3700
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /f /fi "MODULES eq termsrv.dll"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SYSTEM32\net.exe
  net start termservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start termservice
    3⤵
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Killme.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4544
- - C:\Windows\system32\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\Killme.bat"
    3⤵
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kill.bat

Filesize
264B

MD5
cf7acc3b9a514d6334e2e6e349a93b05

SHA1
b9e2f3556ada80d1cbdb2f5d5108c9273a2f1d8d

SHA256
748422d881ae7da2a1767636f54502ac8045fdb681d27ecaebbdbdb7246d240e

SHA512
8a494de0b7bc23d90e51d883ff1468ef09355ccb60ee4ea606f918042153beee09c60d56478bb3aa9b15fd6f20ed8ef98ef6d747803f12dca2aa7b8930bfbae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.bat

Filesize
132B

MD5
0ec0fa2b8c804ce48c8b60e4c6843868

SHA1
79da378ec6a7941be48552b17893daa964e06a03

SHA256
bfb0aa89ca798cd52234676246779783fe76a6bc08446e654d143fb513121511

SHA512
b0cc05add08d2c2ac3051160bb3a5cce847bc4ccb560901862aa6ccec571398a417cd515e77a4b85bf232b1e6503f76d23f8681d00794fdcd32724587f19186e

Download Submit
C:\Windows\System32\termsrv.dll

Filesize
1.1MB

MD5
d561c0be36137dfbc8c3979f8c7e06fd

SHA1
47f779199d91a1754d08ee56990a1be5cf5590ce

SHA256
59ed62a260d07d05d30dd788964208d2e284c61d62ac3a567ca498669abe975f

SHA512
45c50aad2451223663c83c92fe2d329df2cec5ccaed933b4351197e659f034a2c183438d1976ecbb656ec7890375b524204f60fcb32975f1159422fe473eb6e0

Download Submit