ryuk | e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf

General

Target

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
Size

192KB
MD5

ce36b667dc2411b83ab678a66c42065a
SHA1

40a41587d785406e2d5c8b782492f18b8c034305
SHA256

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf
SHA512

503f0fc072271880a13bb412eee27191e8d2f1d0af51daf5d4d55be6f33843f6427a0155e1600d447526147a7647e1c883853e30fe72a57904bd613af16104ff

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

hhgsEmD.exe

pid process

1764 hhgsEmD.exe

pid	process
1764	hhgsEmD.exe

Loads dropped DLL 2 IoCs

Processes:

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

pid	process
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhgsEmD.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exehhgsEmD.exe

pid	process
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1764	hhgsEmD.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1764	hhgsEmD.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
1764	hhgsEmD.exe
1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exehhgsEmD.exe

description	pid	process
Token: SeDebugPrivilege	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
Token: SeBackupPrivilege	1764	hhgsEmD.exe
Token: SeBackupPrivilege	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exenet.exenet.exehhgsEmD.exenet.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	hhgsEmD.exe
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	hhgsEmD.exe
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	hhgsEmD.exe
PID 1480 wrote to memory of 1764	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	hhgsEmD.exe
PID 1480 wrote to memory of 1244	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	taskhost.exe
PID 1480 wrote to memory of 1348	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	Dwm.exe
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 860	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 860 wrote to memory of 1412	860	net.exe	net1.exe
PID 860 wrote to memory of 1412	860	net.exe	net1.exe
PID 860 wrote to memory of 1412	860	net.exe	net1.exe
PID 860 wrote to memory of 1412	860	net.exe	net1.exe
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 1128	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1128 wrote to memory of 1780	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1780	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1780	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1780	1128	net.exe	net1.exe
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	net.exe
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	net.exe
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	net.exe
PID 1764 wrote to memory of 1928	1764	hhgsEmD.exe	net.exe
PID 1928 wrote to memory of 1756	1928	net.exe	net1.exe
PID 1928 wrote to memory of 1756	1928	net.exe	net1.exe
PID 1928 wrote to memory of 1756	1928	net.exe	net1.exe
PID 1928 wrote to memory of 1756	1928	net.exe	net1.exe
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 1560	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1560 wrote to memory of 1924	1560	net.exe	net1.exe
PID 1560 wrote to memory of 1924	1560	net.exe	net1.exe
PID 1560 wrote to memory of 1924	1560	net.exe	net1.exe
PID 1560 wrote to memory of 1924	1560	net.exe	net1.exe
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	cmd.exe
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	cmd.exe
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	cmd.exe
PID 1480 wrote to memory of 1068	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	cmd.exe
PID 1068 wrote to memory of 748	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 748	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 748	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 748	1068	cmd.exe	reg.exe
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	cmd.exe
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	cmd.exe
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	cmd.exe
PID 1764 wrote to memory of 8612	1764	hhgsEmD.exe	cmd.exe
PID 8612 wrote to memory of 8640	8612	cmd.exe	reg.exe
PID 8612 wrote to memory of 8640	8612	cmd.exe	reg.exe
PID 8612 wrote to memory of 8640	8612	cmd.exe	reg.exe
PID 8612 wrote to memory of 8640	8612	cmd.exe	reg.exe
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 1480 wrote to memory of 8904	1480	e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe	net.exe
PID 8904 wrote to memory of 8968	8904	net.exe	net1.exe
PID 8904 wrote to memory of 8968	8904	net.exe	net1.exe
PID 8904 wrote to memory of 8968	8904	net.exe	net1.exe
PID 8904 wrote to memory of 8968	8904	net.exe	net1.exe
PID 1764 wrote to memory of 9056	1764	hhgsEmD.exe	net.exe
PID 1764 wrote to memory of 9056	1764	hhgsEmD.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe
"C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe
"C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:8612

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:8640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:9056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:9080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:36588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:36792

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:9144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:9168

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:30208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:30232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:46428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:46452

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
06ddf83607ef401b0da501bf52e465d2

SHA1
95ac3505dda393d8c7ea2554f501abef019668c6

SHA256
b591bc560b973bd59cb24aa04d9a5af3c3098aa7f7ef8a5504f16deb154644d8

SHA512
bde16515f285edd3877341c0462f28edb534834f8545895b0195dbedc2e7b745a7ea355ff996c8ca1832898536632217c63c5a093af215030047123b67897c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhgsEmD.exe

MD5
ce36b667dc2411b83ab678a66c42065a

SHA1
40a41587d785406e2d5c8b782492f18b8c034305

SHA256
e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf

SHA512
503f0fc072271880a13bb412eee27191e8d2f1d0af51daf5d4d55be6f33843f6427a0155e1600d447526147a7647e1c883853e30fe72a57904bd613af16104ff

Download Submit
\Users\Admin\AppData\Local\Temp\hhgsEmD.exe

MD5
ce36b667dc2411b83ab678a66c42065a

SHA1
40a41587d785406e2d5c8b782492f18b8c034305

SHA256
e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf

SHA512
503f0fc072271880a13bb412eee27191e8d2f1d0af51daf5d4d55be6f33843f6427a0155e1600d447526147a7647e1c883853e30fe72a57904bd613af16104ff

Download Submit
\Users\Admin\AppData\Local\Temp\hhgsEmD.exe

MD5
ce36b667dc2411b83ab678a66c42065a

SHA1
40a41587d785406e2d5c8b782492f18b8c034305

SHA256
e33cc528ba4611636e7d1f52f634f46cb0fe9ae7e25250b04723452f994aaddf

SHA512
503f0fc072271880a13bb412eee27191e8d2f1d0af51daf5d4d55be6f33843f6427a0155e1600d447526147a7647e1c883853e30fe72a57904bd613af16104ff

Download Submit
memory/1244-59-0x0000000030000000-0x0000000030170000-memory.dmp

Filesize
1.4MB

Download
memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads