ryuk | f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

Analysis

max time kernel
165s
max time network
196s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
Size

116KB
MD5

9defe4fa3561d26e7d56ea9faab90602
SHA1

7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c
SHA256

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14
SHA512

e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'Dmf2iVkD4d'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1616	nNumpQQTSrep.exe
668	IlubANuqWlan.exe
9764	BZpAEeVrQlan.exe

Loads dropped DLL 6 IoCs

pid	Process
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
34416	icacls.exe
34424	icacls.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\RyukReadMe.html	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 480 wrote to memory of 1616	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	27
PID 480 wrote to memory of 1616	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	27
PID 480 wrote to memory of 1616	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	27
PID 480 wrote to memory of 1616	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	27
PID 480 wrote to memory of 668	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	30
PID 480 wrote to memory of 668	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	30
PID 480 wrote to memory of 668	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	30
PID 480 wrote to memory of 668	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	30
PID 480 wrote to memory of 9764	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	31
PID 480 wrote to memory of 9764	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	31
PID 480 wrote to memory of 9764	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	31
PID 480 wrote to memory of 9764	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	31
PID 480 wrote to memory of 34416	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	32
PID 480 wrote to memory of 34416	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	32
PID 480 wrote to memory of 34416	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	32
PID 480 wrote to memory of 34416	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	32
PID 480 wrote to memory of 34424	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	34
PID 480 wrote to memory of 34424	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	34
PID 480 wrote to memory of 34424	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	34
PID 480 wrote to memory of 34424	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	34
PID 480 wrote to memory of 79696	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	38
PID 480 wrote to memory of 79696	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	38
PID 480 wrote to memory of 79696	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	38
PID 480 wrote to memory of 79696	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	38
PID 480 wrote to memory of 79704	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	37
PID 480 wrote to memory of 79704	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	37
PID 480 wrote to memory of 79704	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	37
PID 480 wrote to memory of 79704	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	37
PID 480 wrote to memory of 88040	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	41
PID 480 wrote to memory of 88040	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	41
PID 480 wrote to memory of 88040	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	41
PID 480 wrote to memory of 88040	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	41
PID 480 wrote to memory of 88048	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	40
PID 480 wrote to memory of 88048	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	40
PID 480 wrote to memory of 88048	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	40
PID 480 wrote to memory of 88048	480	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	40
PID 79696 wrote to memory of 112716	79696	net.exe	47
PID 79696 wrote to memory of 112716	79696	net.exe	47
PID 79696 wrote to memory of 112716	79696	net.exe	47
PID 79696 wrote to memory of 112716	79696	net.exe	47
PID 88040 wrote to memory of 112708	88040	net.exe	44
PID 88040 wrote to memory of 112708	88040	net.exe	44
PID 88040 wrote to memory of 112708	88040	net.exe	44
PID 88040 wrote to memory of 112708	88040	net.exe	44
PID 88048 wrote to memory of 112724	88048	net.exe	45
PID 88048 wrote to memory of 112724	88048	net.exe	45
PID 88048 wrote to memory of 112724	88048	net.exe	45
PID 88048 wrote to memory of 112724	88048	net.exe	45
PID 79704 wrote to memory of 112732	79704	net.exe	46
PID 79704 wrote to memory of 112732	79704	net.exe	46
PID 79704 wrote to memory of 112732	79704	net.exe	46
PID 79704 wrote to memory of 112732	79704	net.exe	46

C:\Users\Admin\AppData\Local\Temp\f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
"C:\Users\Admin\AppData\Local\Temp\f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:480
- C:\Users\Admin\AppData\Local\Temp\nNumpQQTSrep.exe
  "C:\Users\Admin\AppData\Local\Temp\nNumpQQTSrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\IlubANuqWlan.exe
  "C:\Users\Admin\AppData\Local\Temp\IlubANuqWlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Users\Admin\AppData\Local\Temp\BZpAEeVrQlan.exe
  "C:\Users\Admin\AppData\Local\Temp\BZpAEeVrQlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:9764
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:34416
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:34424
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:79704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:112732
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:79696
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:112716
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:88048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:112724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:88040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:112708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/480-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download