ryuk | f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0

General

Target

f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
Size

123KB
MD5

e371e72f85e66bbce078bcd1bee7e4a7
SHA1

d5231df9c4bc1e7e438a382a6a143362ced25476
SHA256

f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0
SHA512

8ec28f15e90d20b31f1ef702f00f8b66e46fab60faff4a0a666e8efa56e0285cb1cdc87a2106e2a7f39ce3d2b429fbc757704c0a4747bbc9305b39106a0c3cda

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'tKPGaxUEJ1'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1204	dbQTRqNdDrep.exe
1820	GZjUXsPmWlan.exe
880	tcLXJSHjUlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
30280	icacls.exe
30288	icacls.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1204	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	27
PID 1480 wrote to memory of 1204	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	27
PID 1480 wrote to memory of 1204	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	27
PID 1480 wrote to memory of 1204	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	27
PID 1480 wrote to memory of 1820	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	30
PID 1480 wrote to memory of 1820	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	30
PID 1480 wrote to memory of 1820	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	30
PID 1480 wrote to memory of 1820	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	30
PID 1480 wrote to memory of 880	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	31
PID 1480 wrote to memory of 880	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	31
PID 1480 wrote to memory of 880	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	31
PID 1480 wrote to memory of 880	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	31
PID 1480 wrote to memory of 30280	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	32
PID 1480 wrote to memory of 30280	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	32
PID 1480 wrote to memory of 30280	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	32
PID 1480 wrote to memory of 30280	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	32
PID 1480 wrote to memory of 30288	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	33
PID 1480 wrote to memory of 30288	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	33
PID 1480 wrote to memory of 30288	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	33
PID 1480 wrote to memory of 30288	1480	f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe	33

C:\Users\Admin\AppData\Local\Temp\f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe
"C:\Users\Admin\AppData\Local\Temp\f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\dbQTRqNdDrep.exe
  "C:\Users\Admin\AppData\Local\Temp\dbQTRqNdDrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\GZjUXsPmWlan.exe
  "C:\Users\Admin\AppData\Local\Temp\GZjUXsPmWlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\tcLXJSHjUlan.exe
  "C:\Users\Admin\AppData\Local\Temp\tcLXJSHjUlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:30280
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:30288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing