ryuk | d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488

General

Target

d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe
Size

140KB
MD5

c0f972c5e033c0b4dc268a805cfa16a2
SHA1

a3f38579feb14d3b20289e453b41d88232145f68
SHA256

d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488
SHA512

de7803c4119355be7e06616abbfbf44b4ee23ba2caa987b630ad520126187c1f9eb2308f0ba5ba51cc8287fa75e5251d4e9d5ad940e8beb90b97f65d4890ca47

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '3y5fSfK'; $torlink = 'http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ojaiemvqphz6dgg7gncqpdlbx2aoisftpwvrhda67uth6ncuax2ghyad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 2 IoCs

pid	Process
892	FowgzSvUJrep.exe
432	aPQiBbtlZlan.exe

Loads dropped DLL 4 IoCs

pid	Process
1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe
1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe
1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe
1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
860	icacls.exe
1016	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 892	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	30
PID 1188 wrote to memory of 892	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	30
PID 1188 wrote to memory of 892	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	30
PID 1188 wrote to memory of 892	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	30
PID 1188 wrote to memory of 432	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	31
PID 1188 wrote to memory of 432	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	31
PID 1188 wrote to memory of 432	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	31
PID 1188 wrote to memory of 432	1188	d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe	31

C:\Users\Admin\AppData\Local\Temp\d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe
"C:\Users\Admin\AppData\Local\Temp\d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\FowgzSvUJrep.exe
  "C:\Users\Admin\AppData\Local\Temp\FowgzSvUJrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Users\Admin\AppData\Local\Temp\aPQiBbtlZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\aPQiBbtlZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Users\Admin\AppData\Local\Temp\JdYNxTfxGlan.exe
  "C:\Users\Admin\AppData\Local\Temp\JdYNxTfxGlan.exe" 8 LAN
  2⤵
  PID:1160
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:860
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
1⤵
PID:2896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
1⤵
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-53-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing