ryuk | ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4

Analysis

max time kernel
177s
max time network
83s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 01:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
Size

72KB
MD5

777d9d83da40ed1481d9f0646b4b0a3d
SHA1

6c817e64a04620eddd9b73ed894a76afac484b94
SHA256

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4
SHA512

f0ae9cd13ec35b7cfa4dda91637c683b1074faff99fbff8448b8dd90fac2c0be1fa2304f90bbea4695fa196724f36767f2f40f5a1e6a95e3cf6c14ecea2754b6

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
368	lZgPAws.exe

Loads dropped DLL 2 IoCs

pid	Process
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
368	lZgPAws.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
Token: SeBackupPrivilege	368	lZgPAws.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	27
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	27
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	27
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	27
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	28
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	28
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	28
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	28
PID 704 wrote to memory of 872	704	net.exe	30
PID 704 wrote to memory of 872	704	net.exe	30
PID 704 wrote to memory of 872	704	net.exe	30
PID 704 wrote to memory of 872	704	net.exe	30
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	31
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	31
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	31
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	31
PID 1104 wrote to memory of 1588	1104	net.exe	33
PID 1104 wrote to memory of 1588	1104	net.exe	33
PID 1104 wrote to memory of 1588	1104	net.exe	33
PID 1104 wrote to memory of 1588	1104	net.exe	33
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	34
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	34
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	34
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	34
PID 1028 wrote to memory of 1760	1028	net.exe	36
PID 1028 wrote to memory of 1760	1028	net.exe	36
PID 1028 wrote to memory of 1760	1028	net.exe	36
PID 1028 wrote to memory of 1760	1028	net.exe	36
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	37
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	37
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	37
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	37
PID 2160 wrote to memory of 2236	2160	net.exe	39
PID 2160 wrote to memory of 2236	2160	net.exe	39
PID 2160 wrote to memory of 2236	2160	net.exe	39
PID 2160 wrote to memory of 2236	2160	net.exe	39
PID 368 wrote to memory of 3744	368	lZgPAws.exe	40
PID 368 wrote to memory of 3744	368	lZgPAws.exe	40
PID 368 wrote to memory of 3744	368	lZgPAws.exe	40
PID 368 wrote to memory of 3744	368	lZgPAws.exe	40
PID 3744 wrote to memory of 3772	3744	net.exe	42
PID 3744 wrote to memory of 3772	3744	net.exe	42
PID 3744 wrote to memory of 3772	3744	net.exe	42
PID 3744 wrote to memory of 3772	3744	net.exe	42
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	46
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	46
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	46
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	46
PID 16800 wrote to memory of 16824	16800	net.exe	48
PID 16800 wrote to memory of 16824	16800	net.exe	48
PID 16800 wrote to memory of 16824	16800	net.exe	48
PID 16800 wrote to memory of 16824	16800	net.exe	48
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	49
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	49
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	49
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	49
PID 16836 wrote to memory of 16860	16836	net.exe	51
PID 16836 wrote to memory of 16860	16836	net.exe	51
PID 16836 wrote to memory of 16860	16836	net.exe	51
PID 16836 wrote to memory of 16860	16836	net.exe	51
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	52
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	52
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	52
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	52

C:\Users\Admin\AppData\Local\Temp\ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
"C:\Users\Admin\AppData\Local\Temp\ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\lZgPAws.exe
  "C:\Users\Admin\AppData\Local\Temp\lZgPAws.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:3772
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:37532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:37564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1588
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1760
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:37452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:37476
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:37496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:37524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download