ryuk | 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335

Analysis

Target

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
Size

575KB
MD5

6cad2f7dc809b9353a31753a438aef4e
SHA1

459d816bb020f5da8257076a36d0ffd1f1f02d76
SHA256

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
SHA512

a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8

Score

10^/10

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

pid	Process
1992	icacls.exe
932	icacls.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	3928	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 13 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 1992	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	78
PID 3928 wrote to memory of 1992	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	78
PID 3928 wrote to memory of 1992	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	78
PID 3928 wrote to memory of 932	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	79
PID 3928 wrote to memory of 932	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	79
PID 3928 wrote to memory of 932	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	79

C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
"C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1992
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 652
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2116-4-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download