ryuk | d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

General

Target

mSRChoAYDlan.exe
Size

140KB
MD5

c0f972c5e033c0b4dc268a805cfa16a2
SHA1

a3f38579feb14d3b20289e453b41d88232145f68
SHA256

d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488
SHA512

de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '3y5fSfK'; $torlink = 'http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

qlpBZZqYXrep.exeWgnSkXXeolan.exenZVTuTxyglan.exe

pid process

2124 qlpBZZqYXrep.exe
3148 WgnSkXXeolan.exe
1276 nZVTuTxyglan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2644 icacls.exe
2092 icacls.exe

pid	process
2124	qlpBZZqYXrep.exe
3148	WgnSkXXeolan.exe
1276	nZVTuTxyglan.exe

pid	process
2644	icacls.exe
2092	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mSRChoAYDlan.exe

description	ioc	process
File opened (read-only)	\??\O:	mSRChoAYDlan.exe
File opened (read-only)	\??\K:	mSRChoAYDlan.exe
File opened (read-only)	\??\I:	mSRChoAYDlan.exe
File opened (read-only)	\??\G:	mSRChoAYDlan.exe
File opened (read-only)	\??\W:	mSRChoAYDlan.exe
File opened (read-only)	\??\U:	mSRChoAYDlan.exe
File opened (read-only)	\??\T:	mSRChoAYDlan.exe
File opened (read-only)	\??\H:	mSRChoAYDlan.exe
File opened (read-only)	\??\Z:	mSRChoAYDlan.exe
File opened (read-only)	\??\R:	mSRChoAYDlan.exe
File opened (read-only)	\??\P:	mSRChoAYDlan.exe
File opened (read-only)	\??\N:	mSRChoAYDlan.exe
File opened (read-only)	\??\L:	mSRChoAYDlan.exe
File opened (read-only)	\??\J:	mSRChoAYDlan.exe
File opened (read-only)	\??\F:	mSRChoAYDlan.exe
File opened (read-only)	\??\Y:	mSRChoAYDlan.exe
File opened (read-only)	\??\X:	mSRChoAYDlan.exe
File opened (read-only)	\??\V:	mSRChoAYDlan.exe
File opened (read-only)	\??\S:	mSRChoAYDlan.exe
File opened (read-only)	\??\Q:	mSRChoAYDlan.exe
File opened (read-only)	\??\M:	mSRChoAYDlan.exe
File opened (read-only)	\??\E:	mSRChoAYDlan.exe

Drops file in Program Files directory 1 IoCs

Processes:

mSRChoAYDlan.exe

description ioc process

File opened for modification C:\Program Files\RyukReadMe.html mSRChoAYDlan.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

mSRChoAYDlan.exe

pid process

4044 mSRChoAYDlan.exe
4044 mSRChoAYDlan.exe
4044 mSRChoAYDlan.exe
4044 mSRChoAYDlan.exe

description	ioc	process
File opened for modification	C:\Program Files\RyukReadMe.html	mSRChoAYDlan.exe

pid	process
4044	mSRChoAYDlan.exe
4044	mSRChoAYDlan.exe
4044	mSRChoAYDlan.exe
4044	mSRChoAYDlan.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

mSRChoAYDlan.exe

description	pid	process	target process
PID 4044 wrote to memory of 2124	4044	mSRChoAYDlan.exe	qlpBZZqYXrep.exe
PID 4044 wrote to memory of 2124	4044	mSRChoAYDlan.exe	qlpBZZqYXrep.exe
PID 4044 wrote to memory of 2124	4044	mSRChoAYDlan.exe	qlpBZZqYXrep.exe
PID 4044 wrote to memory of 3148	4044	mSRChoAYDlan.exe	WgnSkXXeolan.exe
PID 4044 wrote to memory of 3148	4044	mSRChoAYDlan.exe	WgnSkXXeolan.exe
PID 4044 wrote to memory of 3148	4044	mSRChoAYDlan.exe	WgnSkXXeolan.exe
PID 4044 wrote to memory of 1276	4044	mSRChoAYDlan.exe	nZVTuTxyglan.exe
PID 4044 wrote to memory of 1276	4044	mSRChoAYDlan.exe	nZVTuTxyglan.exe
PID 4044 wrote to memory of 1276	4044	mSRChoAYDlan.exe	nZVTuTxyglan.exe
PID 4044 wrote to memory of 2644	4044	mSRChoAYDlan.exe	icacls.exe
PID 4044 wrote to memory of 2644	4044	mSRChoAYDlan.exe	icacls.exe
PID 4044 wrote to memory of 2644	4044	mSRChoAYDlan.exe	icacls.exe
PID 4044 wrote to memory of 2092	4044	mSRChoAYDlan.exe	icacls.exe
PID 4044 wrote to memory of 2092	4044	mSRChoAYDlan.exe	icacls.exe
PID 4044 wrote to memory of 2092	4044	mSRChoAYDlan.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\mSRChoAYDlan.exe
"C:\Users\Admin\AppData\Local\Temp\mSRChoAYDlan.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\qlpBZZqYXrep.exe
"C:\Users\Admin\AppData\Local\Temp\qlpBZZqYXrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Local\Temp\WgnSkXXeolan.exe
"C:\Users\Admin\AppData\Local\Temp\WgnSkXXeolan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3148

C:\Users\Admin\AppData\Local\Temp\nZVTuTxyglan.exe
"C:\Users\Admin\AppData\Local\Temp\nZVTuTxyglan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2644

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
ef4f7747ff07d010fc040da223fdbc61

SHA1
2b89042ff0b635aa34ec32c0a2090cd4f781c9ae

SHA256
6a1c4bfe0368464c37652bb21a4eec21ee11f16b6f8a820c6696c6f7e5fe10c8

SHA512
0342ef5ca647586af05b99d5f82d264457d51ca44e8831acc9a1013db7ee98e2e86ef122733862f7492f0870a51136cf829978ab97ed14659f4d2d081d177a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgnSkXXeolan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgnSkXXeolan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZVTuTxyglan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZVTuTxyglan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlpBZZqYXrep.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlpBZZqYXrep.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
memory/1276-120-0x0000000000000000-mapping.dmp

Download
memory/2092-124-0x0000000000000000-mapping.dmp

Download
memory/2124-114-0x0000000000000000-mapping.dmp

Download
memory/2644-123-0x0000000000000000-mapping.dmp

Download
memory/3148-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing