ryuk | f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

General

Target

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
Size

116KB
MD5

9defe4fa3561d26e7d56ea9faab90602
SHA1

7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c
SHA256

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14
SHA512

e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'Dmf2iVkD4d'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

YdrAeJHEFrep.exerVRPPQruxlan.exeeZeqyALSwlan.exe

pid process

3500 YdrAeJHEFrep.exe
2044 rVRPPQruxlan.exe
15076 eZeqyALSwlan.exe

pid	process
3500	YdrAeJHEFrep.exe
2044	rVRPPQruxlan.exe
15076	eZeqyALSwlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe

description	pid	process	target process
PID 828 wrote to memory of 3500	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	YdrAeJHEFrep.exe
PID 828 wrote to memory of 3500	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	YdrAeJHEFrep.exe
PID 828 wrote to memory of 3500	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	YdrAeJHEFrep.exe
PID 828 wrote to memory of 2044	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	rVRPPQruxlan.exe
PID 828 wrote to memory of 2044	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	rVRPPQruxlan.exe
PID 828 wrote to memory of 2044	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	rVRPPQruxlan.exe
PID 828 wrote to memory of 15076	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	eZeqyALSwlan.exe
PID 828 wrote to memory of 15076	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	eZeqyALSwlan.exe
PID 828 wrote to memory of 15076	828	f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe	eZeqyALSwlan.exe

C:\Users\Admin\AppData\Local\Temp\f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe
"C:\Users\Admin\AppData\Local\Temp\f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\YdrAeJHEFrep.exe
"C:\Users\Admin\AppData\Local\Temp\YdrAeJHEFrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:3500

C:\Users\Admin\AppData\Local\Temp\rVRPPQruxlan.exe
"C:\Users\Admin\AppData\Local\Temp\rVRPPQruxlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\Temp\eZeqyALSwlan.exe
"C:\Users\Admin\AppData\Local\Temp\eZeqyALSwlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:15076

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YdrAeJHEFrep.exe

MD5
9defe4fa3561d26e7d56ea9faab90602

SHA1
7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c

SHA256
f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

SHA512
e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\YdrAeJHEFrep.exe

MD5
9defe4fa3561d26e7d56ea9faab90602

SHA1
7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c

SHA256
f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

SHA512
e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZeqyALSwlan.exe

MD5
9defe4fa3561d26e7d56ea9faab90602

SHA1
7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c

SHA256
f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

SHA512
e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZeqyALSwlan.exe

MD5
9defe4fa3561d26e7d56ea9faab90602

SHA1
7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c

SHA256
f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

SHA512
e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\rVRPPQruxlan.exe

MD5
9defe4fa3561d26e7d56ea9faab90602

SHA1
7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c

SHA256
f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

SHA512
e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\rVRPPQruxlan.exe

MD5
9defe4fa3561d26e7d56ea9faab90602

SHA1
7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c

SHA256
f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14

SHA512
e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Download Submit
C:\users\Public\RyukReadMe.html

MD5
ca59dca8f2d37040c803f18da2877ba3

SHA1
e82ce90b49581a17fcaa772c6f7194ee72d36563

SHA256
39717e077ad749b4e6832286bbc6387db4d4bfbd0e10c5a10560f105ee378ed4

SHA512
1d78c8a37ec29cdbcc33ad7c0815b1c96a1dc97abd89a5c6322ba2f0e63d5d0142fe43aa0125a45355582d216b186a1abf4851a12dbb01e81024a92995990472

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads