ryuk | eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a

General

Target

eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe
Size

182KB
MD5

e3a6a47d619dc38d039270dde995e1f8
SHA1

494a15923bd9b0c2410f8d44930da53c0aa97f6d
SHA256

eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a
SHA512

1868bcc3e263dc1d6a3f0c5f7232c4c75360fcac19895f6709cf126a42a396962c30228a47b8784b9dfb8ca634350c46511f85a8423bd4b4e94f6357f9f5f10f

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe

pid	process
744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe
744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe
744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe

description pid process

Token: SeBackupPrivilege 744 eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe

description	pid	process
Token: SeBackupPrivilege	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 744 wrote to memory of 2088	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2088	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2088	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2088	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2156	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2156	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2156	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 2156	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 2088 wrote to memory of 2516	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2516	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2516	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2516	2088	net.exe	net1.exe
PID 2156 wrote to memory of 2508	2156	net.exe	net1.exe
PID 2156 wrote to memory of 2508	2156	net.exe	net1.exe
PID 2156 wrote to memory of 2508	2156	net.exe	net1.exe
PID 2156 wrote to memory of 2508	2156	net.exe	net1.exe
PID 744 wrote to memory of 4852	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 4852	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 4852	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 4852	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 4852 wrote to memory of 4880	4852	net.exe	net1.exe
PID 4852 wrote to memory of 4880	4852	net.exe	net1.exe
PID 4852 wrote to memory of 4880	4852	net.exe	net1.exe
PID 4852 wrote to memory of 4880	4852	net.exe	net1.exe
PID 744 wrote to memory of 8492	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 8492	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 8492	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 744 wrote to memory of 8492	744	eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe	net.exe
PID 8492 wrote to memory of 8516	8492	net.exe	net1.exe
PID 8492 wrote to memory of 8516	8492	net.exe	net1.exe
PID 8492 wrote to memory of 8516	8492	net.exe	net1.exe
PID 8492 wrote to memory of 8516	8492	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe
"C:\Users\Admin\AppData\Local\Temp\eb5b82d6f4b1150d3bb6a76102ab713ad05c2f4c2045bd53373e6fecae04f01a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2508

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing