ryuk | d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82

Analysis

max time kernel
165s
max time network
137s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
Size

188KB
MD5

28b6df2007a3b33b43a13ab518f2947d
SHA1

7ea40bac1432c34736bd0cce346d8f9b983c627b
SHA256

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82
SHA512

e851fae2a441a1b0814d4725ea288875cd44229573449eddff2af1db66433d27461edf246a6f9ce01a32025985f008c0b6a0ada134aaaf2020b8f8d2ce683f58

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
268	OxYFABS.exe

Loads dropped DLL 2 IoCs

pid	Process
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
268	OxYFABS.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
268	OxYFABS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
Token: SeBackupPrivilege	268	OxYFABS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	27
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	27
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	27
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	27
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	28
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	28
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	28
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	28
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	31
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	31
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	31
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	31
PID 268 wrote to memory of 1376	268	OxYFABS.exe	30
PID 268 wrote to memory of 1376	268	OxYFABS.exe	30
PID 268 wrote to memory of 1376	268	OxYFABS.exe	30
PID 268 wrote to memory of 1376	268	OxYFABS.exe	30
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	34
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	34
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	34
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	34
PID 268 wrote to memory of 976	268	OxYFABS.exe	36
PID 268 wrote to memory of 976	268	OxYFABS.exe	36
PID 268 wrote to memory of 976	268	OxYFABS.exe	36
PID 268 wrote to memory of 976	268	OxYFABS.exe	36
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	38
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	38
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	38
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	38
PID 1056 wrote to memory of 2188	1056	net.exe	43
PID 1056 wrote to memory of 2188	1056	net.exe	43
PID 1056 wrote to memory of 2188	1056	net.exe	43
PID 1056 wrote to memory of 2188	1056	net.exe	43
PID 1292 wrote to memory of 2164	1292	net.exe	42
PID 1292 wrote to memory of 2164	1292	net.exe	42
PID 1292 wrote to memory of 2164	1292	net.exe	42
PID 1292 wrote to memory of 2164	1292	net.exe	42
PID 1864 wrote to memory of 2172	1864	net.exe	41
PID 1864 wrote to memory of 2172	1864	net.exe	41
PID 1864 wrote to memory of 2172	1864	net.exe	41
PID 1864 wrote to memory of 2172	1864	net.exe	41
PID 1376 wrote to memory of 2180	1376	net.exe	40
PID 1376 wrote to memory of 2180	1376	net.exe	40
PID 1376 wrote to memory of 2180	1376	net.exe	40
PID 1376 wrote to memory of 2180	1376	net.exe	40
PID 1644 wrote to memory of 2196	1644	net.exe	44
PID 1644 wrote to memory of 2196	1644	net.exe	44
PID 1644 wrote to memory of 2196	1644	net.exe	44
PID 1644 wrote to memory of 2196	1644	net.exe	44
PID 976 wrote to memory of 2204	976	net.exe	45
PID 976 wrote to memory of 2204	976	net.exe	45
PID 976 wrote to memory of 2204	976	net.exe	45
PID 976 wrote to memory of 2204	976	net.exe	45
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	48
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	48
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	48
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	48
PID 34472 wrote to memory of 34348	34472	net.exe	50
PID 34472 wrote to memory of 34348	34472	net.exe	50
PID 34472 wrote to memory of 34348	34472	net.exe	50
PID 34472 wrote to memory of 34348	34472	net.exe	50
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	51
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	51
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	51
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	51

C:\Users\Admin\AppData\Local\Temp\d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
"C:\Users\Admin\AppData\Local\Temp\d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\OxYFABS.exe
  "C:\Users\Admin\AppData\Local\Temp\OxYFABS.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2204
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1688
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2196
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2164
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2172
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2188
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:34472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:35576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:35584
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:38692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:38740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download