ryuk | 0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779

General

Target

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Size

169KB
MD5

8d9db61a893f5919641a7b4005a78850
SHA1

fa768baedc9ca06f253ff993d2f4d0aee402959b
SHA256

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779
SHA512

cbc5f3ed290b1c7e8989cf820ec13d59af010b283cd66b76558953e786c9e867c5442e56331c49f8d084acd6af6792f0d57a7e234025b2cecc17c4151c85d0b4

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

pid	process
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

description	pid	process
Token: SeDebugPrivilege	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Token: SeBackupPrivilege	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1900 wrote to memory of 1144	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	taskhost.exe
PID 1900 wrote to memory of 1232	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	Dwm.exe
PID 1900 wrote to memory of 324	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 324	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 324	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 324	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 560	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 560	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 560	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 560	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 560 wrote to memory of 864	560	net.exe	net1.exe
PID 560 wrote to memory of 864	560	net.exe	net1.exe
PID 560 wrote to memory of 864	560	net.exe	net1.exe
PID 560 wrote to memory of 864	560	net.exe	net1.exe
PID 324 wrote to memory of 1884	324	net.exe	net1.exe
PID 324 wrote to memory of 1884	324	net.exe	net1.exe
PID 324 wrote to memory of 1884	324	net.exe	net1.exe
PID 324 wrote to memory of 1884	324	net.exe	net1.exe
PID 1900 wrote to memory of 1184	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 1184	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 1184	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 1184	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1184 wrote to memory of 1336	1184	net.exe	net1.exe
PID 1184 wrote to memory of 1336	1184	net.exe	net1.exe
PID 1184 wrote to memory of 1336	1184	net.exe	net1.exe
PID 1184 wrote to memory of 1336	1184	net.exe	net1.exe
PID 1900 wrote to memory of 1176	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 1176	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 1176	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 1176	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1176 wrote to memory of 816	1176	net.exe	net1.exe
PID 1176 wrote to memory of 816	1176	net.exe	net1.exe
PID 1176 wrote to memory of 816	1176	net.exe	net1.exe
PID 1176 wrote to memory of 816	1176	net.exe	net1.exe
PID 1900 wrote to memory of 3720	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 3720	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 3720	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 3720	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 3720 wrote to memory of 3744	3720	net.exe	net1.exe
PID 3720 wrote to memory of 3744	3720	net.exe	net1.exe
PID 3720 wrote to memory of 3744	3720	net.exe	net1.exe
PID 3720 wrote to memory of 3744	3720	net.exe	net1.exe
PID 1900 wrote to memory of 4956	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 4956	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 4956	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 4956	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 4956 wrote to memory of 4980	4956	net.exe	net1.exe
PID 4956 wrote to memory of 4980	4956	net.exe	net1.exe
PID 4956 wrote to memory of 4980	4956	net.exe	net1.exe
PID 4956 wrote to memory of 4980	4956	net.exe	net1.exe
PID 1900 wrote to memory of 8636	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 8636	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 8636	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 8636	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 8636 wrote to memory of 8664	8636	net.exe	net1.exe
PID 8636 wrote to memory of 8664	8636	net.exe	net1.exe
PID 8636 wrote to memory of 8664	8636	net.exe	net1.exe
PID 8636 wrote to memory of 8664	8636	net.exe	net1.exe
PID 1900 wrote to memory of 2104	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 2104	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 2104	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 1900 wrote to memory of 2104	1900	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 2104 wrote to memory of 1268	2104	net.exe	net1.exe
PID 2104 wrote to memory of 1268	2104	net.exe	net1.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
"C:\Users\Admin\AppData\Local\Temp\0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:816

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8664

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1268

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-56-0x0000000030000000-0x00000000302D1000-memory.dmp

Filesize
2.8MB

Download
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads