ryuk | d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

General

Target

UFCECfFhnlan.exe
Size

140KB
MD5

c0f972c5e033c0b4dc268a805cfa16a2
SHA1

a3f38579feb14d3b20289e453b41d88232145f68
SHA256

d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488
SHA512

de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '3y5fSfK'; $torlink = 'http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

gDlFAnykArep.exeAGvjHVxrLlan.exeVhUHVrKRflan.exe

pid process

1960 gDlFAnykArep.exe
3676 AGvjHVxrLlan.exe
2544 VhUHVrKRflan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2860 icacls.exe
1420 icacls.exe

pid	process
1960	gDlFAnykArep.exe
3676	AGvjHVxrLlan.exe
2544	VhUHVrKRflan.exe

pid	process
2860	icacls.exe
1420	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

UFCECfFhnlan.exe

description	ioc	process
File opened (read-only)	\??\R:	UFCECfFhnlan.exe
File opened (read-only)	\??\J:	UFCECfFhnlan.exe
File opened (read-only)	\??\E:	UFCECfFhnlan.exe
File opened (read-only)	\??\X:	UFCECfFhnlan.exe
File opened (read-only)	\??\S:	UFCECfFhnlan.exe
File opened (read-only)	\??\Q:	UFCECfFhnlan.exe
File opened (read-only)	\??\O:	UFCECfFhnlan.exe
File opened (read-only)	\??\M:	UFCECfFhnlan.exe
File opened (read-only)	\??\I:	UFCECfFhnlan.exe
File opened (read-only)	\??\F:	UFCECfFhnlan.exe
File opened (read-only)	\??\W:	UFCECfFhnlan.exe
File opened (read-only)	\??\Y:	UFCECfFhnlan.exe
File opened (read-only)	\??\U:	UFCECfFhnlan.exe
File opened (read-only)	\??\Z:	UFCECfFhnlan.exe
File opened (read-only)	\??\T:	UFCECfFhnlan.exe
File opened (read-only)	\??\P:	UFCECfFhnlan.exe
File opened (read-only)	\??\N:	UFCECfFhnlan.exe
File opened (read-only)	\??\L:	UFCECfFhnlan.exe
File opened (read-only)	\??\K:	UFCECfFhnlan.exe
File opened (read-only)	\??\H:	UFCECfFhnlan.exe
File opened (read-only)	\??\G:	UFCECfFhnlan.exe
File opened (read-only)	\??\V:	UFCECfFhnlan.exe

Drops file in Program Files directory 17 IoCs

Processes:

UFCECfFhnlan.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RyukReadMe.html	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	UFCECfFhnlan.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RyukReadMe.html	UFCECfFhnlan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

UFCECfFhnlan.exe

pid process

736 UFCECfFhnlan.exe
736 UFCECfFhnlan.exe
736 UFCECfFhnlan.exe
736 UFCECfFhnlan.exe

pid	process
736	UFCECfFhnlan.exe
736	UFCECfFhnlan.exe
736	UFCECfFhnlan.exe
736	UFCECfFhnlan.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

UFCECfFhnlan.exe

description	pid	process	target process
PID 736 wrote to memory of 1960	736	UFCECfFhnlan.exe	gDlFAnykArep.exe
PID 736 wrote to memory of 1960	736	UFCECfFhnlan.exe	gDlFAnykArep.exe
PID 736 wrote to memory of 1960	736	UFCECfFhnlan.exe	gDlFAnykArep.exe
PID 736 wrote to memory of 3676	736	UFCECfFhnlan.exe	AGvjHVxrLlan.exe
PID 736 wrote to memory of 3676	736	UFCECfFhnlan.exe	AGvjHVxrLlan.exe
PID 736 wrote to memory of 3676	736	UFCECfFhnlan.exe	AGvjHVxrLlan.exe
PID 736 wrote to memory of 2544	736	UFCECfFhnlan.exe	VhUHVrKRflan.exe
PID 736 wrote to memory of 2544	736	UFCECfFhnlan.exe	VhUHVrKRflan.exe
PID 736 wrote to memory of 2544	736	UFCECfFhnlan.exe	VhUHVrKRflan.exe
PID 736 wrote to memory of 2860	736	UFCECfFhnlan.exe	icacls.exe
PID 736 wrote to memory of 2860	736	UFCECfFhnlan.exe	icacls.exe
PID 736 wrote to memory of 2860	736	UFCECfFhnlan.exe	icacls.exe
PID 736 wrote to memory of 1420	736	UFCECfFhnlan.exe	icacls.exe
PID 736 wrote to memory of 1420	736	UFCECfFhnlan.exe	icacls.exe
PID 736 wrote to memory of 1420	736	UFCECfFhnlan.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\UFCECfFhnlan.exe
"C:\Users\Admin\AppData\Local\Temp\UFCECfFhnlan.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\gDlFAnykArep.exe
"C:\Users\Admin\AppData\Local\Temp\gDlFAnykArep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\AGvjHVxrLlan.exe
"C:\Users\Admin\AppData\Local\Temp\AGvjHVxrLlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\VhUHVrKRflan.exe
"C:\Users\Admin\AppData\Local\Temp\VhUHVrKRflan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2860

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
ef4f7747ff07d010fc040da223fdbc61

SHA1
2b89042ff0b635aa34ec32c0a2090cd4f781c9ae

SHA256
6a1c4bfe0368464c37652bb21a4eec21ee11f16b6f8a820c6696c6f7e5fe10c8

SHA512
0342ef5ca647586af05b99d5f82d264457d51ca44e8831acc9a1013db7ee98e2e86ef122733862f7492f0870a51136cf829978ab97ed14659f4d2d081d177a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGvjHVxrLlan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGvjHVxrLlan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhUHVrKRflan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhUHVrKRflan.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\gDlFAnykArep.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\gDlFAnykArep.exe

MD5
c0f972c5e033c0b4dc268a805cfa16a2

SHA1
a3f38579feb14d3b20289e453b41d88232145f68

SHA256
d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

SHA512
de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Download Submit
memory/1420-124-0x0000000000000000-mapping.dmp

Download
memory/1960-114-0x0000000000000000-mapping.dmp

Download
memory/2544-120-0x0000000000000000-mapping.dmp

Download
memory/2860-123-0x0000000000000000-mapping.dmp

Download
memory/3676-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads