ryuk | b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

General

Target

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
Size

147KB
MD5

6c0bb20e1158593211a7cbcbacb3dd83
SHA1

3a74a3aafde31b4f129e515baabe9833bf359f8e
SHA256

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9
SHA512

7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '2cvCR2CMQ1qi'; $torlink = 'http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
564	1073r.exe
916	ZeKuVqTEblan.exe
544	epyZgEonMlan.exe

Loads dropped DLL 6 IoCs

pid	Process
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1488	icacls.exe
1524	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\U:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\Q:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\H:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\T:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\K:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\G:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\E:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\M:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\L:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\I:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\Z:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\W:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\V:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\R:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\O:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\F:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\X:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\S:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\P:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\N:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\J:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 564	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	29
PID 468 wrote to memory of 564	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	29
PID 468 wrote to memory of 564	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	29
PID 468 wrote to memory of 564	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	29
PID 468 wrote to memory of 916	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	30
PID 468 wrote to memory of 916	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	30
PID 468 wrote to memory of 916	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	30
PID 468 wrote to memory of 916	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	30
PID 468 wrote to memory of 544	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	31
PID 468 wrote to memory of 544	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	31
PID 468 wrote to memory of 544	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	31
PID 468 wrote to memory of 544	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	31
PID 468 wrote to memory of 1488	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	32
PID 468 wrote to memory of 1488	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	32
PID 468 wrote to memory of 1488	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	32
PID 468 wrote to memory of 1488	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	32
PID 468 wrote to memory of 1524	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	33
PID 468 wrote to memory of 1524	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	33
PID 468 wrote to memory of 1524	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	33
PID 468 wrote to memory of 1524	468	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	33

C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
"C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Users\Admin\AppData\Local\Temp\ZeKuVqTEblan.exe
  "C:\Users\Admin\AppData\Local\Temp\ZeKuVqTEblan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Users\Admin\AppData\Local\Temp\epyZgEonMlan.exe
  "C:\Users\Admin\AppData\Local\Temp\epyZgEonMlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1488
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1524
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2112
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:432
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2288