ryuk | 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

Analysis

max time kernel
106s
max time network
149s
platform
windows10_x64
resource
win10-en
submitted
13-09-2021 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Size

144KB
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
2652	1073r.exe
2284	AcUqEGUbPlan.exe
3384	KXwIrdoJllan.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3332	icacls.exe
3504	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\L:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\F:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\U:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\R:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\P:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\N:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\M:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Z:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\X:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\V:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\I:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\H:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\G:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\E:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Y:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\K:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\J:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\O:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\W:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\S:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Q:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\AddBlock.avi	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\BackupRestore.vstx	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2652	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	76
PID 1664 wrote to memory of 2652	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	76
PID 1664 wrote to memory of 2652	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	76
PID 1664 wrote to memory of 2284	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	77
PID 1664 wrote to memory of 2284	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	77
PID 1664 wrote to memory of 2284	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	77
PID 1664 wrote to memory of 3384	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	78
PID 1664 wrote to memory of 3384	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	78
PID 1664 wrote to memory of 3384	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	78
PID 1664 wrote to memory of 3332	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	79
PID 1664 wrote to memory of 3332	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	79
PID 1664 wrote to memory of 3332	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	79
PID 1664 wrote to memory of 3504	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	81
PID 1664 wrote to memory of 3504	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	81
PID 1664 wrote to memory of 3504	1664	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	81

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\AcUqEGUbPlan.exe
  "C:\Users\Admin\AppData\Local\Temp\AcUqEGUbPlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\KXwIrdoJllan.exe
  "C:\Users\Admin\AppData\Local\Temp\KXwIrdoJllan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3332
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3504
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4184
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4412
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads