ryuk | 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335

General

Target

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
Size

575KB
MD5

6cad2f7dc809b9353a31753a438aef4e
SHA1

459d816bb020f5da8257076a36d0ffd1f1f02d76
SHA256

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
SHA512

a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1992 icacls.exe
932 icacls.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2116 3928 WerFault.exe 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe

pid	process
1992	icacls.exe
932	icacls.exe

pid	pid_target	process	target process
2116	3928	WerFault.exe	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2116 WerFault.exe
Token: SeBackupPrivilege 2116 WerFault.exe
Token: SeDebugPrivilege 2116 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2116	WerFault.exe
Token: SeBackupPrivilege	2116	WerFault.exe
Token: SeDebugPrivilege	2116	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe

description	pid	process	target process
PID 3928 wrote to memory of 1992	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 3928 wrote to memory of 1992	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 3928 wrote to memory of 1992	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 3928 wrote to memory of 932	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 3928 wrote to memory of 932	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 3928 wrote to memory of 932	3928	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
"C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1992

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 652
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\Users\Public\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
memory/932-3-0x0000000000000000-mapping.dmp

Download
memory/1992-2-0x0000000000000000-mapping.dmp

Download
memory/2116-4-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing