ryuk | ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4

General

Target

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
Size

72KB
MD5

777d9d83da40ed1481d9f0646b4b0a3d
SHA1

6c817e64a04620eddd9b73ed894a76afac484b94
SHA256

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4
SHA512

f0ae9cd13ec35b7cfa4dda91637c683b1074faff99fbff8448b8dd90fac2c0be1fa2304f90bbea4695fa196724f36767f2f40f5a1e6a95e3cf6c14ecea2754b6

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

lZgPAws.exe

pid process

368 lZgPAws.exe

pid	process
368	lZgPAws.exe

Loads dropped DLL 2 IoCs

Processes:

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe

pid	process
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exelZgPAws.exe

pid	process
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
368	lZgPAws.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
368	lZgPAws.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exelZgPAws.exe

description	pid	process
Token: SeBackupPrivilege	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
Token: SeBackupPrivilege	368	lZgPAws.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exenet.exenet.exenet.exenet.exelZgPAws.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	lZgPAws.exe
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	lZgPAws.exe
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	lZgPAws.exe
PID 1912 wrote to memory of 368	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	lZgPAws.exe
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 704	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 704 wrote to memory of 872	704	net.exe	net1.exe
PID 704 wrote to memory of 872	704	net.exe	net1.exe
PID 704 wrote to memory of 872	704	net.exe	net1.exe
PID 704 wrote to memory of 872	704	net.exe	net1.exe
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 1104	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1104 wrote to memory of 1588	1104	net.exe	net1.exe
PID 1104 wrote to memory of 1588	1104	net.exe	net1.exe
PID 1104 wrote to memory of 1588	1104	net.exe	net1.exe
PID 1104 wrote to memory of 1588	1104	net.exe	net1.exe
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 1028	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1028 wrote to memory of 1760	1028	net.exe	net1.exe
PID 1028 wrote to memory of 1760	1028	net.exe	net1.exe
PID 1028 wrote to memory of 1760	1028	net.exe	net1.exe
PID 1028 wrote to memory of 1760	1028	net.exe	net1.exe
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 2160	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 2160 wrote to memory of 2236	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2236	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2236	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2236	2160	net.exe	net1.exe
PID 368 wrote to memory of 3744	368	lZgPAws.exe	net.exe
PID 368 wrote to memory of 3744	368	lZgPAws.exe	net.exe
PID 368 wrote to memory of 3744	368	lZgPAws.exe	net.exe
PID 368 wrote to memory of 3744	368	lZgPAws.exe	net.exe
PID 3744 wrote to memory of 3772	3744	net.exe	net1.exe
PID 3744 wrote to memory of 3772	3744	net.exe	net1.exe
PID 3744 wrote to memory of 3772	3744	net.exe	net1.exe
PID 3744 wrote to memory of 3772	3744	net.exe	net1.exe
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 16800	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 16800 wrote to memory of 16824	16800	net.exe	net1.exe
PID 16800 wrote to memory of 16824	16800	net.exe	net1.exe
PID 16800 wrote to memory of 16824	16800	net.exe	net1.exe
PID 16800 wrote to memory of 16824	16800	net.exe	net1.exe
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 16836	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 16836 wrote to memory of 16860	16836	net.exe	net1.exe
PID 16836 wrote to memory of 16860	16836	net.exe	net1.exe
PID 16836 wrote to memory of 16860	16836	net.exe	net1.exe
PID 16836 wrote to memory of 16860	16836	net.exe	net1.exe
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe
PID 1912 wrote to memory of 37452	1912	ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe
"C:\Users\Admin\AppData\Local\Temp\ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\lZgPAws.exe
"C:\Users\Admin\AppData\Local\Temp\lZgPAws.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:3772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:37532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:37564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1588

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16824

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:37452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:37496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
62429300ef3f095ae37a58b737c60ab5

SHA1
6036c4e454eb6fed69504e7a5ae2227153757e93

SHA256
dbcb799862fb04f74c3a3fd880a35a3f87c1a5d87ee57235f84c33bf51a97b46

SHA512
028db4e3928a3d7a4eb7377a423d700e1c9c52c0da147690ae3d373274e08b20896d4732b1e647f441be74fce9dafa5f17434f79bdb977595a635a7cafd182a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZgPAws.exe
MD5
777d9d83da40ed1481d9f0646b4b0a3d

SHA1
6c817e64a04620eddd9b73ed894a76afac484b94

SHA256
ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4

SHA512
f0ae9cd13ec35b7cfa4dda91637c683b1074faff99fbff8448b8dd90fac2c0be1fa2304f90bbea4695fa196724f36767f2f40f5a1e6a95e3cf6c14ecea2754b6

Download Submit
\Users\Admin\AppData\Local\Temp\lZgPAws.exe
MD5
777d9d83da40ed1481d9f0646b4b0a3d

SHA1
6c817e64a04620eddd9b73ed894a76afac484b94

SHA256
ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4

SHA512
f0ae9cd13ec35b7cfa4dda91637c683b1074faff99fbff8448b8dd90fac2c0be1fa2304f90bbea4695fa196724f36767f2f40f5a1e6a95e3cf6c14ecea2754b6

Download Submit
\Users\Admin\AppData\Local\Temp\lZgPAws.exe
MD5
777d9d83da40ed1481d9f0646b4b0a3d

SHA1
6c817e64a04620eddd9b73ed894a76afac484b94

SHA256
ddc41e15773815f293b5a61e505e37dff0e05e9e195e4dd2e2eaab932b9582d4

SHA512
f0ae9cd13ec35b7cfa4dda91637c683b1074faff99fbff8448b8dd90fac2c0be1fa2304f90bbea4695fa196724f36767f2f40f5a1e6a95e3cf6c14ecea2754b6

Download Submit
memory/1912-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads