ryuk | 6d2518918e5c6e5738338e1acebbdac572308585f39a3c61f82825c539e9c5e2

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
592	MQZCalWkTrep.exe
1724	ubLXnrukflan.exe

Loads dropped DLL 4 IoCs

pid	Process
1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 592	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1888 wrote to memory of 592	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1888 wrote to memory of 592	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1888 wrote to memory of 592	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1888 wrote to memory of 1724	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1888 wrote to memory of 1724	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1888 wrote to memory of 1724	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1888 wrote to memory of 1724	1888	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\MQZCalWkTrep.exe
  "C:\Users\Admin\AppData\Local\Temp\MQZCalWkTrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Users\Admin\AppData\Local\Temp\ubLXnrukflan.exe
  "C:\Users\Admin\AppData\Local\Temp\ubLXnrukflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-2-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing