ryuk | d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c

Analysis

max time kernel
182s
max time network
50s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe
Size

236KB
MD5

7c10cbeef49f0419899d8024be4abc47
SHA1

ac804313c2457bb45e53acfb21155ff916356d78
SHA256

d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c
SHA512

d9573699e4a683ee912343e5c78f1fe7e9307865b6bf0faab32c170cf0b000f5b208d15264bf7cb43750d713f11bd156a71f67e75d3409a66caab6ebc26f1424

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe
1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe
1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2140	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	30
PID 1504 wrote to memory of 2140	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	30
PID 1504 wrote to memory of 2140	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	30
PID 1504 wrote to memory of 2140	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	30
PID 1504 wrote to memory of 2412	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	32
PID 1504 wrote to memory of 2412	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	32
PID 1504 wrote to memory of 2412	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	32
PID 1504 wrote to memory of 2412	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	32
PID 2412 wrote to memory of 2704	2412	net.exe	33
PID 2412 wrote to memory of 2704	2412	net.exe	33
PID 2412 wrote to memory of 2704	2412	net.exe	33
PID 2412 wrote to memory of 2704	2412	net.exe	33
PID 2140 wrote to memory of 2696	2140	net.exe	34
PID 2140 wrote to memory of 2696	2140	net.exe	34
PID 2140 wrote to memory of 2696	2140	net.exe	34
PID 2140 wrote to memory of 2696	2140	net.exe	34
PID 1504 wrote to memory of 8500	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	35
PID 1504 wrote to memory of 8500	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	35
PID 1504 wrote to memory of 8500	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	35
PID 1504 wrote to memory of 8500	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	35
PID 8500 wrote to memory of 8528	8500	net.exe	37
PID 8500 wrote to memory of 8528	8500	net.exe	37
PID 8500 wrote to memory of 8528	8500	net.exe	37
PID 8500 wrote to memory of 8528	8500	net.exe	37
PID 1504 wrote to memory of 16972	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	39
PID 1504 wrote to memory of 16972	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	39
PID 1504 wrote to memory of 16972	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	39
PID 1504 wrote to memory of 16972	1504	d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe	39
PID 16972 wrote to memory of 16996	16972	net.exe	41
PID 16972 wrote to memory of 16996	16972	net.exe	41
PID 16972 wrote to memory of 16996	16972	net.exe	41
PID 16972 wrote to memory of 16996	16972	net.exe	41

C:\Users\Admin\AppData\Local\Temp\d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe
"C:\Users\Admin\AppData\Local\Temp\d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2696
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2704
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download