ryuk | 0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779

General

Target

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Size

169KB
MD5

8d9db61a893f5919641a7b4005a78850
SHA1

fa768baedc9ca06f253ff993d2f4d0aee402959b
SHA256

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779
SHA512

cbc5f3ed290b1c7e8989cf820ec13d59af010b283cd66b76558953e786c9e867c5442e56331c49f8d084acd6af6792f0d57a7e234025b2cecc17c4151c85d0b4

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

pid	process
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Token: SeBackupPrivilege	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
Token: SeShutdownPrivilege	4988	svchost.exe
Token: SeCreatePagefilePrivilege	4988	svchost.exe
Token: SeShutdownPrivilege	4988	svchost.exe
Token: SeCreatePagefilePrivilege	4988	svchost.exe
Token: SeShutdownPrivilege	4988	svchost.exe
Token: SeCreatePagefilePrivilege	4988	svchost.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 5024 wrote to memory of 2280	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	sihost.exe
PID 5024 wrote to memory of 2312	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	svchost.exe
PID 5024 wrote to memory of 3332	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 3332	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 3332	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 3332 wrote to memory of 3928	3332	net.exe	net1.exe
PID 3332 wrote to memory of 3928	3332	net.exe	net1.exe
PID 3332 wrote to memory of 3928	3332	net.exe	net1.exe
PID 5024 wrote to memory of 2432	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	taskhostw.exe
PID 5024 wrote to memory of 384	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 384	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 384	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 384 wrote to memory of 392	384	net.exe	net1.exe
PID 384 wrote to memory of 392	384	net.exe	net1.exe
PID 384 wrote to memory of 392	384	net.exe	net1.exe
PID 5024 wrote to memory of 744	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	svchost.exe
PID 5024 wrote to memory of 3252	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	DllHost.exe
PID 5024 wrote to memory of 3348	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	StartMenuExperienceHost.exe
PID 5024 wrote to memory of 3424	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	RuntimeBroker.exe
PID 5024 wrote to memory of 3516	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	SearchApp.exe
PID 5024 wrote to memory of 3848	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	RuntimeBroker.exe
PID 5024 wrote to memory of 4052	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	RuntimeBroker.exe
PID 5024 wrote to memory of 1408	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	backgroundTaskHost.exe
PID 5024 wrote to memory of 1480	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	backgroundTaskHost.exe
PID 5024 wrote to memory of 2208	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	RuntimeBroker.exe
PID 5024 wrote to memory of 1512	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	BackgroundTransferHost.exe
PID 5024 wrote to memory of 624	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 624	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 624	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 624 wrote to memory of 4776	624	net.exe	net1.exe
PID 624 wrote to memory of 4776	624	net.exe	net1.exe
PID 624 wrote to memory of 4776	624	net.exe	net1.exe
PID 5024 wrote to memory of 6484	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6484	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6484	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 6484 wrote to memory of 6536	6484	net.exe	net1.exe
PID 6484 wrote to memory of 6536	6484	net.exe	net1.exe
PID 6484 wrote to memory of 6536	6484	net.exe	net1.exe
PID 5024 wrote to memory of 6752	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6752	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6752	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 6752 wrote to memory of 6804	6752	net.exe	net1.exe
PID 6752 wrote to memory of 6804	6752	net.exe	net1.exe
PID 6752 wrote to memory of 6804	6752	net.exe	net1.exe
PID 5024 wrote to memory of 6992	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6992	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6992	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 6992 wrote to memory of 7044	6992	net.exe	net1.exe
PID 6992 wrote to memory of 7044	6992	net.exe	net1.exe
PID 6992 wrote to memory of 7044	6992	net.exe	net1.exe
PID 5024 wrote to memory of 6496	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6496	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 5024 wrote to memory of 6496	5024	0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe	net.exe
PID 6496 wrote to memory of 6520	6496	net.exe	net1.exe
PID 6496 wrote to memory of 6520	6496	net.exe	net1.exe
PID 6496 wrote to memory of 6520	6496	net.exe	net1.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2312

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2208

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe
"C:\Users\Admin\AppData\Local\Temp\0db010c56aee75c099cbd415dd5b18bfdef64e95ea20cb27008106c167ff4779.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3928

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6536

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:7044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6520

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4988-130-0x000001F897D20000-0x000001F897D30000-memory.dmp

Filesize
64KB

Download
memory/4988-131-0x000001F897F40000-0x000001F897F50000-memory.dmp

Filesize
64KB

Download
memory/4988-132-0x000001F89A440000-0x000001F89A444000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads