ryuk | 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

Analysis

max time kernel
150s
max time network
112s
platform
windows7_x64
resource
win7v20201028
submitted
17-03-2021 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c68395e474088d5339972e2bf5a30f3c.bin.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1300	dNTkPKsTVrep.exe
1556	KXpCwHQxElan.exe
636	cLZzHNrpblan.exe

Loads dropped DLL 6 IoCs

pid	Process
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2684	icacls.exe
2696	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PIXEL.INF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105288.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107192.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.INF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.INF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14513_.GIF	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Currie	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\RyukReadMe.html	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	c68395e474088d5339972e2bf5a30f3c.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	c68395e474088d5339972e2bf5a30f3c.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe
1152	c68395e474088d5339972e2bf5a30f3c.bin.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1300	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	29
PID 1152 wrote to memory of 1300	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	29
PID 1152 wrote to memory of 1300	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	29
PID 1152 wrote to memory of 1300	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	29
PID 1152 wrote to memory of 1556	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	30
PID 1152 wrote to memory of 1556	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	30
PID 1152 wrote to memory of 1556	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	30
PID 1152 wrote to memory of 1556	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	30
PID 1152 wrote to memory of 636	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	31
PID 1152 wrote to memory of 636	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	31
PID 1152 wrote to memory of 636	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	31
PID 1152 wrote to memory of 636	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	31
PID 1152 wrote to memory of 2684	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	32
PID 1152 wrote to memory of 2684	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	32
PID 1152 wrote to memory of 2684	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	32
PID 1152 wrote to memory of 2684	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	32
PID 1152 wrote to memory of 2696	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	35
PID 1152 wrote to memory of 2696	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	35
PID 1152 wrote to memory of 2696	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	35
PID 1152 wrote to memory of 2696	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	35
PID 1152 wrote to memory of 3192	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	36
PID 1152 wrote to memory of 3192	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	36
PID 1152 wrote to memory of 3192	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	36
PID 1152 wrote to memory of 3192	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	36
PID 1152 wrote to memory of 3336	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	38
PID 1152 wrote to memory of 3336	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	38
PID 1152 wrote to memory of 3336	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	38
PID 1152 wrote to memory of 3336	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	38
PID 3192 wrote to memory of 3420	3192	net.exe	41
PID 3192 wrote to memory of 3420	3192	net.exe	41
PID 3192 wrote to memory of 3420	3192	net.exe	41
PID 3192 wrote to memory of 3420	3192	net.exe	41
PID 1152 wrote to memory of 3408	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	40
PID 1152 wrote to memory of 3408	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	40
PID 1152 wrote to memory of 3408	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	40
PID 1152 wrote to memory of 3408	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	40
PID 3336 wrote to memory of 3428	3336	net.exe	42
PID 3336 wrote to memory of 3428	3336	net.exe	42
PID 3336 wrote to memory of 3428	3336	net.exe	42
PID 3336 wrote to memory of 3428	3336	net.exe	42
PID 1152 wrote to memory of 3464	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	45
PID 1152 wrote to memory of 3464	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	45
PID 1152 wrote to memory of 3464	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	45
PID 1152 wrote to memory of 3464	1152	c68395e474088d5339972e2bf5a30f3c.bin.exe	45
PID 3408 wrote to memory of 3516	3408	net.exe	47
PID 3408 wrote to memory of 3516	3408	net.exe	47
PID 3408 wrote to memory of 3516	3408	net.exe	47
PID 3408 wrote to memory of 3516	3408	net.exe	47
PID 3464 wrote to memory of 3524	3464	net.exe	46
PID 3464 wrote to memory of 3524	3464	net.exe	46
PID 3464 wrote to memory of 3524	3464	net.exe	46
PID 3464 wrote to memory of 3524	3464	net.exe	46

C:\Users\Admin\AppData\Local\Temp\c68395e474088d5339972e2bf5a30f3c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c68395e474088d5339972e2bf5a30f3c.bin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\dNTkPKsTVrep.exe
  "C:\Users\Admin\AppData\Local\Temp\dNTkPKsTVrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\KXpCwHQxElan.exe
  "C:\Users\Admin\AppData\Local\Temp\KXpCwHQxElan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\cLZzHNrpblan.exe
  "C:\Users\Admin\AppData\Local\Temp\cLZzHNrpblan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3420
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1152-10-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download