ryuk | d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82

General

Target

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
Size

188KB
MD5

28b6df2007a3b33b43a13ab518f2947d
SHA1

7ea40bac1432c34736bd0cce346d8f9b983c627b
SHA256

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82
SHA512

e851fae2a441a1b0814d4725ea288875cd44229573449eddff2af1db66433d27461edf246a6f9ce01a32025985f008c0b6a0ada134aaaf2020b8f8d2ce683f58

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

OxYFABS.exe

pid process

268 OxYFABS.exe

pid	process
268	OxYFABS.exe

Loads dropped DLL 2 IoCs

Processes:

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe

pid	process
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exeOxYFABS.exe

pid	process
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
268	OxYFABS.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
268	OxYFABS.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
268	OxYFABS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exeOxYFABS.exe

description	pid	process
Token: SeBackupPrivilege	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
Token: SeBackupPrivilege	268	OxYFABS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exeOxYFABS.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	OxYFABS.exe
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	OxYFABS.exe
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	OxYFABS.exe
PID 624 wrote to memory of 268	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	OxYFABS.exe
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1644	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1292	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 268 wrote to memory of 1376	268	OxYFABS.exe	net.exe
PID 268 wrote to memory of 1376	268	OxYFABS.exe	net.exe
PID 268 wrote to memory of 1376	268	OxYFABS.exe	net.exe
PID 268 wrote to memory of 1376	268	OxYFABS.exe	net.exe
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1864	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 268 wrote to memory of 976	268	OxYFABS.exe	net.exe
PID 268 wrote to memory of 976	268	OxYFABS.exe	net.exe
PID 268 wrote to memory of 976	268	OxYFABS.exe	net.exe
PID 268 wrote to memory of 976	268	OxYFABS.exe	net.exe
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 1056	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 1056 wrote to memory of 2188	1056	net.exe	net1.exe
PID 1056 wrote to memory of 2188	1056	net.exe	net1.exe
PID 1056 wrote to memory of 2188	1056	net.exe	net1.exe
PID 1056 wrote to memory of 2188	1056	net.exe	net1.exe
PID 1292 wrote to memory of 2164	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2164	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2164	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2164	1292	net.exe	net1.exe
PID 1864 wrote to memory of 2172	1864	net.exe	net1.exe
PID 1864 wrote to memory of 2172	1864	net.exe	net1.exe
PID 1864 wrote to memory of 2172	1864	net.exe	net1.exe
PID 1864 wrote to memory of 2172	1864	net.exe	net1.exe
PID 1376 wrote to memory of 2180	1376	net.exe	net1.exe
PID 1376 wrote to memory of 2180	1376	net.exe	net1.exe
PID 1376 wrote to memory of 2180	1376	net.exe	net1.exe
PID 1376 wrote to memory of 2180	1376	net.exe	net1.exe
PID 1644 wrote to memory of 2196	1644	net.exe	net1.exe
PID 1644 wrote to memory of 2196	1644	net.exe	net1.exe
PID 1644 wrote to memory of 2196	1644	net.exe	net1.exe
PID 1644 wrote to memory of 2196	1644	net.exe	net1.exe
PID 976 wrote to memory of 2204	976	net.exe	net1.exe
PID 976 wrote to memory of 2204	976	net.exe	net1.exe
PID 976 wrote to memory of 2204	976	net.exe	net1.exe
PID 976 wrote to memory of 2204	976	net.exe	net1.exe
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 34472	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 34472 wrote to memory of 34348	34472	net.exe	net1.exe
PID 34472 wrote to memory of 34348	34472	net.exe	net1.exe
PID 34472 wrote to memory of 34348	34472	net.exe	net1.exe
PID 34472 wrote to memory of 34348	34472	net.exe	net1.exe
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe
PID 624 wrote to memory of 35576	624	d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe
"C:\Users\Admin\AppData\Local\Temp\d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\OxYFABS.exe
"C:\Users\Admin\AppData\Local\Temp\OxYFABS.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2180

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2204

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:2224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2196

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2172

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:34472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:34348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:35576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35584

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:38692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:38740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxYFABS.exe
MD5
28b6df2007a3b33b43a13ab518f2947d

SHA1
7ea40bac1432c34736bd0cce346d8f9b983c627b

SHA256
d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82

SHA512
e851fae2a441a1b0814d4725ea288875cd44229573449eddff2af1db66433d27461edf246a6f9ce01a32025985f008c0b6a0ada134aaaf2020b8f8d2ce683f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
f80b83c93b55e21517d4d46a3acef02d

SHA1
2351f7b2cb5d7ebee65f90ce6dc8f988c54ceed2

SHA256
4da25fa1c78175a690bd0d6aecf93ca9f69ba76319c09b394a461697571435c1

SHA512
398206e517487adf82f2ff99fd86b115229a5d177eb01b053490d71bdb45b2b9390e3a89c7d8969344f6ec9437655edb75b324a1f0efb0c3da77ad2fa4dd3183

Download Submit
\Users\Admin\AppData\Local\Temp\OxYFABS.exe
MD5
28b6df2007a3b33b43a13ab518f2947d

SHA1
7ea40bac1432c34736bd0cce346d8f9b983c627b

SHA256
d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82

SHA512
e851fae2a441a1b0814d4725ea288875cd44229573449eddff2af1db66433d27461edf246a6f9ce01a32025985f008c0b6a0ada134aaaf2020b8f8d2ce683f58

Download Submit
\Users\Admin\AppData\Local\Temp\OxYFABS.exe
MD5
28b6df2007a3b33b43a13ab518f2947d

SHA1
7ea40bac1432c34736bd0cce346d8f9b983c627b

SHA256
d29d9915be6d41e899cec8593a36bf55acf63a1d574c65d7562898dab6dafa82

SHA512
e851fae2a441a1b0814d4725ea288875cd44229573449eddff2af1db66433d27461edf246a6f9ce01a32025985f008c0b6a0ada134aaaf2020b8f8d2ce683f58

Download Submit
memory/624-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads