ryuk | 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Size

144KB
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1544	1073r.exe
1540	wjkfIFenUlan.exe
764	dlkypkltUlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
528	icacls.exe
396	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	29
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	29
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	29
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	29
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 1640 wrote to memory of 396	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32
PID 1640 wrote to memory of 396	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32
PID 1640 wrote to memory of 396	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe
  "C:\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe
  "C:\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:396
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2884
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1716
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-60-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing