ryuk | def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86

General

Target

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
Size

202KB
MD5

19c2252f877112192dd1112dde32e3d4
SHA1

33f7c585527d012ba115d313003ca52b0fabcdb6
SHA256

def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86
SHA512

4f639986b6464c5b7802ed8f4bb2f069489da5ea556181db51b0ced62cf9e0f2afc8287d99b7a3678ed9402b629f4205dd8a92c4f4862977b2294f7df2a941bc

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4520	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	61
PID 1528 wrote to memory of 4520	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	61
PID 1528 wrote to memory of 4556	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	63
PID 1528 wrote to memory of 4556	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	63
PID 4556 wrote to memory of 4640	4556	net.exe	66
PID 4556 wrote to memory of 4640	4556	net.exe	66
PID 4520 wrote to memory of 4632	4520	net.exe	65
PID 4520 wrote to memory of 4632	4520	net.exe	65
PID 1528 wrote to memory of 4772	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	69
PID 1528 wrote to memory of 4772	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	69
PID 4772 wrote to memory of 4832	4772	net.exe	71
PID 4772 wrote to memory of 4832	4772	net.exe	71
PID 1528 wrote to memory of 4864	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	72
PID 1528 wrote to memory of 4864	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	72
PID 4864 wrote to memory of 4944	4864	net.exe	75
PID 4864 wrote to memory of 4944	4864	net.exe	75
PID 1528 wrote to memory of 1620	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	79
PID 1528 wrote to memory of 1620	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	79
PID 1620 wrote to memory of 3056	1620	net.exe	81
PID 1620 wrote to memory of 3056	1620	net.exe	81
PID 1528 wrote to memory of 3984	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	82
PID 1528 wrote to memory of 3984	1528	def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe	82
PID 3984 wrote to memory of 4784	3984	net.exe	84
PID 3984 wrote to memory of 4784	3984	net.exe	84

C:\Users\Admin\AppData\Local\Temp\def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe
"C:\Users\Admin\AppData\Local\Temp\def050d478f9e84882b007f3cd20dc4ffd3bf6f913532caa63ee4c9aec37dc86.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4632
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4640
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4832
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4944
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3056
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads