ryuk | 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

General

Target

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
Size

192KB
MD5

38df8a5c21f7df368490f8a0a0e276f9
SHA1

564641f0da5a9365a748a9589535f3b9439e5cc9
SHA256

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c
SHA512

2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

FYqNGGm.exe

pid process

648 FYqNGGm.exe

pid	process
648	FYqNGGm.exe

Loads dropped DLL 2 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe

pid	process
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exeFYqNGGm.exe

pid	process
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
648	FYqNGGm.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
648	FYqNGGm.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
648	FYqNGGm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exeFYqNGGm.exe

description	pid	process
Token: SeBackupPrivilege	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
Token: SeBackupPrivilege	648	FYqNGGm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exeFYqNGGm.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1624 wrote to memory of 648	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	FYqNGGm.exe
PID 1624 wrote to memory of 648	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	FYqNGGm.exe
PID 1624 wrote to memory of 648	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	FYqNGGm.exe
PID 1624 wrote to memory of 648	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	FYqNGGm.exe
PID 648 wrote to memory of 1580	648	FYqNGGm.exe	net.exe
PID 648 wrote to memory of 1580	648	FYqNGGm.exe	net.exe
PID 648 wrote to memory of 1580	648	FYqNGGm.exe	net.exe
PID 648 wrote to memory of 1580	648	FYqNGGm.exe	net.exe
PID 1624 wrote to memory of 1700	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1700	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1700	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1700	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1292	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1292	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1292	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 1292	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2076	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2076	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2076	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2076	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2092	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2092	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2092	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 2092	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 648 wrote to memory of 2100	648	FYqNGGm.exe	net.exe
PID 648 wrote to memory of 2100	648	FYqNGGm.exe	net.exe
PID 648 wrote to memory of 2100	648	FYqNGGm.exe	net.exe
PID 648 wrote to memory of 2100	648	FYqNGGm.exe	net.exe
PID 1580 wrote to memory of 2524	1580	net.exe	net1.exe
PID 1580 wrote to memory of 2524	1580	net.exe	net1.exe
PID 1580 wrote to memory of 2524	1580	net.exe	net1.exe
PID 1580 wrote to memory of 2524	1580	net.exe	net1.exe
PID 1700 wrote to memory of 2532	1700	net.exe	net1.exe
PID 2100 wrote to memory of 2540	2100	net.exe	net1.exe
PID 1700 wrote to memory of 2532	1700	net.exe	net1.exe
PID 1700 wrote to memory of 2532	1700	net.exe	net1.exe
PID 2100 wrote to memory of 2540	2100	net.exe	net1.exe
PID 1700 wrote to memory of 2532	1700	net.exe	net1.exe
PID 2100 wrote to memory of 2540	2100	net.exe	net1.exe
PID 2100 wrote to memory of 2540	2100	net.exe	net1.exe
PID 2092 wrote to memory of 2556	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2556	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2556	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2556	2092	net.exe	net1.exe
PID 1292 wrote to memory of 2548	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2548	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2548	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2548	1292	net.exe	net1.exe
PID 2076 wrote to memory of 2564	2076	net.exe	net1.exe
PID 2076 wrote to memory of 2564	2076	net.exe	net1.exe
PID 2076 wrote to memory of 2564	2076	net.exe	net1.exe
PID 2076 wrote to memory of 2564	2076	net.exe	net1.exe
PID 1624 wrote to memory of 22768	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22768	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22768	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22768	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22760	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22760	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22760	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 1624 wrote to memory of 22760	1624	08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe	net.exe
PID 22760 wrote to memory of 22812	22760	net.exe	net1.exe
PID 22760 wrote to memory of 22812	22760	net.exe	net1.exe
PID 22760 wrote to memory of 22812	22760	net.exe	net1.exe
PID 22760 wrote to memory of 22812	22760	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
"C:\Users\Admin\AppData\Local\Temp\08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\FYqNGGm.exe
"C:\Users\Admin\AppData\Local\Temp\FYqNGGm.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2540

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:37032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:37060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2556

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:22760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:22812

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:22768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:22820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2329389628-4064185017-3901522362-1000\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
d5547d0b7ac270369e7ba33d1908dd8c

SHA1
173325c61b89559fbd13979b8e70513b5eb8b8b0

SHA256
90f75246c78cd00186f32764120cf51a60ba4c3039de41273aba82562dc52768

SHA512
eecc964b1e6cf4d2a8123ef76e053b9976999549b7f5aa6871d7a7a5ab8d9c0cbb465ac70c4c111adcf52f081e07e7b620fbcee6d9efe10ac2c8c1ffaebe2619

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYqNGGm.exe
MD5
38df8a5c21f7df368490f8a0a0e276f9

SHA1
564641f0da5a9365a748a9589535f3b9439e5cc9

SHA256
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

SHA512
2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
9207bc35d851e473f9a1b245be0fbda0

SHA1
0346b460e5039afc7e0575ec5de40d45e15ca5a4

SHA256
e6ffa7f66d227958059162ac149e4c6d841afbdf7f52c6cf24d9dc2150485c24

SHA512
4491d89e47080cf5903ccd0937ad74484d3226553f828fa4acf3816d08ce4508b0123f3e1114cbf02665463d7bd67688673f0c01ac86edf05bc45decbd699f05

Download Submit
\Users\Admin\AppData\Local\Temp\FYqNGGm.exe
MD5
38df8a5c21f7df368490f8a0a0e276f9

SHA1
564641f0da5a9365a748a9589535f3b9439e5cc9

SHA256
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

SHA512
2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Download Submit
\Users\Admin\AppData\Local\Temp\FYqNGGm.exe
MD5
38df8a5c21f7df368490f8a0a0e276f9

SHA1
564641f0da5a9365a748a9589535f3b9439e5cc9

SHA256
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c

SHA512
2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf

Download Submit
memory/1624-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads