ryuk | cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e

Analysis

max time kernel
184s
max time network
223s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
Size

121KB
MD5

628da52a53fc3ff3e990f454928f4ea4
SHA1

214b361aa8de6df1785eb9039c01e046a323bfa0
SHA256

cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e
SHA512

81d4635fc11474cc3b9bd70d93989176266d66791c521d5af8bda8f89b8ee2ebfc4224947ce977e2997cc9ce143b67b7c1715672e2f5e7156f41c49c923f01a7

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'o0ZEpAZWbe'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
576	pVYHSKDNIrep.exe
1376	eyYHZEcoflan.exe
1828	qRhLJODPrlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1380	icacls.exe
2000	icacls.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 576	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	29
PID 1648 wrote to memory of 576	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	29
PID 1648 wrote to memory of 576	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	29
PID 1648 wrote to memory of 576	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	29
PID 1648 wrote to memory of 1376	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	30
PID 1648 wrote to memory of 1376	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	30
PID 1648 wrote to memory of 1376	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	30
PID 1648 wrote to memory of 1376	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	30
PID 1648 wrote to memory of 1828	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	31
PID 1648 wrote to memory of 1828	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	31
PID 1648 wrote to memory of 1828	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	31
PID 1648 wrote to memory of 1828	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	31
PID 1648 wrote to memory of 1380	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	32
PID 1648 wrote to memory of 1380	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	32
PID 1648 wrote to memory of 1380	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	32
PID 1648 wrote to memory of 1380	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	32
PID 1648 wrote to memory of 2000	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	33
PID 1648 wrote to memory of 2000	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	33
PID 1648 wrote to memory of 2000	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	33
PID 1648 wrote to memory of 2000	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	33
PID 1648 wrote to memory of 46892	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	37
PID 1648 wrote to memory of 46892	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	37
PID 1648 wrote to memory of 46892	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	37
PID 1648 wrote to memory of 46892	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	37
PID 1648 wrote to memory of 46884	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	36
PID 1648 wrote to memory of 46884	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	36
PID 1648 wrote to memory of 46884	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	36
PID 1648 wrote to memory of 46884	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	36
PID 1648 wrote to memory of 46940	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	40
PID 1648 wrote to memory of 46940	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	40
PID 1648 wrote to memory of 46940	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	40
PID 1648 wrote to memory of 46940	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	40
PID 1648 wrote to memory of 46952	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	41
PID 1648 wrote to memory of 46952	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	41
PID 1648 wrote to memory of 46952	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	41
PID 1648 wrote to memory of 46952	1648	cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe	41
PID 46940 wrote to memory of 92116	46940	net.exe	44
PID 46940 wrote to memory of 92116	46940	net.exe	44
PID 46940 wrote to memory of 92116	46940	net.exe	44
PID 46940 wrote to memory of 92116	46940	net.exe	44
PID 46892 wrote to memory of 92124	46892	net.exe	45
PID 46892 wrote to memory of 92124	46892	net.exe	45
PID 46892 wrote to memory of 92124	46892	net.exe	45
PID 46892 wrote to memory of 92124	46892	net.exe	45
PID 46884 wrote to memory of 92140	46884	net.exe	46
PID 46884 wrote to memory of 92140	46884	net.exe	46
PID 46884 wrote to memory of 92140	46884	net.exe	46
PID 46884 wrote to memory of 92140	46884	net.exe	46
PID 46952 wrote to memory of 92132	46952	net.exe	47
PID 46952 wrote to memory of 92132	46952	net.exe	47
PID 46952 wrote to memory of 92132	46952	net.exe	47
PID 46952 wrote to memory of 92132	46952	net.exe	47

C:\Users\Admin\AppData\Local\Temp\cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe
"C:\Users\Admin\AppData\Local\Temp\cde54dbada530a9c060259c6ad351b82513fb20074493acc913aa2a00a3dd50e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\pVYHSKDNIrep.exe
  "C:\Users\Admin\AppData\Local\Temp\pVYHSKDNIrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Users\Admin\AppData\Local\Temp\eyYHZEcoflan.exe
  "C:\Users\Admin\AppData\Local\Temp\eyYHZEcoflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\qRhLJODPrlan.exe
  "C:\Users\Admin\AppData\Local\Temp\qRhLJODPrlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1380
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:92140
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:92124
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:92116
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:92132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download