ryuk | 60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

General

Target

bPQDRgviZlan.exe
Size

136KB
MD5

45295780f2ba837be42ccf50710bd2b5
SHA1

f937b1b7b3593a38702f870077658a891974edda
SHA256

60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025
SHA512

588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'spyZ3Hxws'; $torlink = 'http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
792	oXkmcHcGMrep.exe
1692	wwMzGyhcylan.exe

Loads dropped DLL 6 IoCs

pid	Process
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1060	icacls.exe
368	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	29
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	29
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	29
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	29
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	30
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	30
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	30
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	30
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	31
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	31
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	31
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	31

C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe
"C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe
  "C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe
  "C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe
  "C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe" 8 LAN
  2⤵
  PID:388
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1060
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:368
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2044
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
1⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-60-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing