ryuk | d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

General

Target

mSRChoAYDlan.exe
Size

140KB
MD5

c0f972c5e033c0b4dc268a805cfa16a2
SHA1

a3f38579feb14d3b20289e453b41d88232145f68
SHA256

d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488
SHA512

de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '3y5fSfK'; $torlink = 'http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
2124	qlpBZZqYXrep.exe
3148	WgnSkXXeolan.exe
1276	nZVTuTxyglan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2644	icacls.exe
2092	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	mSRChoAYDlan.exe
File opened (read-only)	\??\K:	mSRChoAYDlan.exe
File opened (read-only)	\??\I:	mSRChoAYDlan.exe
File opened (read-only)	\??\G:	mSRChoAYDlan.exe
File opened (read-only)	\??\W:	mSRChoAYDlan.exe
File opened (read-only)	\??\U:	mSRChoAYDlan.exe
File opened (read-only)	\??\T:	mSRChoAYDlan.exe
File opened (read-only)	\??\H:	mSRChoAYDlan.exe
File opened (read-only)	\??\Z:	mSRChoAYDlan.exe
File opened (read-only)	\??\R:	mSRChoAYDlan.exe
File opened (read-only)	\??\P:	mSRChoAYDlan.exe
File opened (read-only)	\??\N:	mSRChoAYDlan.exe
File opened (read-only)	\??\L:	mSRChoAYDlan.exe
File opened (read-only)	\??\J:	mSRChoAYDlan.exe
File opened (read-only)	\??\F:	mSRChoAYDlan.exe
File opened (read-only)	\??\Y:	mSRChoAYDlan.exe
File opened (read-only)	\??\X:	mSRChoAYDlan.exe
File opened (read-only)	\??\V:	mSRChoAYDlan.exe
File opened (read-only)	\??\S:	mSRChoAYDlan.exe
File opened (read-only)	\??\Q:	mSRChoAYDlan.exe
File opened (read-only)	\??\M:	mSRChoAYDlan.exe
File opened (read-only)	\??\E:	mSRChoAYDlan.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	mSRChoAYDlan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4044	mSRChoAYDlan.exe
4044	mSRChoAYDlan.exe
4044	mSRChoAYDlan.exe
4044	mSRChoAYDlan.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2124	4044	mSRChoAYDlan.exe	78
PID 4044 wrote to memory of 2124	4044	mSRChoAYDlan.exe	78
PID 4044 wrote to memory of 2124	4044	mSRChoAYDlan.exe	78
PID 4044 wrote to memory of 3148	4044	mSRChoAYDlan.exe	79
PID 4044 wrote to memory of 3148	4044	mSRChoAYDlan.exe	79
PID 4044 wrote to memory of 3148	4044	mSRChoAYDlan.exe	79
PID 4044 wrote to memory of 1276	4044	mSRChoAYDlan.exe	80
PID 4044 wrote to memory of 1276	4044	mSRChoAYDlan.exe	80
PID 4044 wrote to memory of 1276	4044	mSRChoAYDlan.exe	80
PID 4044 wrote to memory of 2644	4044	mSRChoAYDlan.exe	81
PID 4044 wrote to memory of 2644	4044	mSRChoAYDlan.exe	81
PID 4044 wrote to memory of 2644	4044	mSRChoAYDlan.exe	81
PID 4044 wrote to memory of 2092	4044	mSRChoAYDlan.exe	82
PID 4044 wrote to memory of 2092	4044	mSRChoAYDlan.exe	82
PID 4044 wrote to memory of 2092	4044	mSRChoAYDlan.exe	82

C:\Users\Admin\AppData\Local\Temp\mSRChoAYDlan.exe
"C:\Users\Admin\AppData\Local\Temp\mSRChoAYDlan.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\qlpBZZqYXrep.exe
  "C:\Users\Admin\AppData\Local\Temp\qlpBZZqYXrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\WgnSkXXeolan.exe
  "C:\Users\Admin\AppData\Local\Temp\WgnSkXXeolan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Users\Admin\AppData\Local\Temp\nZVTuTxyglan.exe
  "C:\Users\Admin\AppData\Local\Temp\nZVTuTxyglan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2644
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2092