ryuk | d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849

General

Target

d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
Size

193KB
MD5

12147c94f3211733f893d31d587d4ad6
SHA1

708199a9a86894f464ec5a5d607ffb1093c096f4
SHA256

d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849
SHA512

3ef68160f44d16e3a305899d537773fdaace5ae6534eb185f3741bc2917f84457674a8bd1ad7db0c4b707a308f101cb3d49f7906bde7732dd26ed08cf9f6b1af

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

ehIwdrF.exe

pid process

1096 ehIwdrF.exe

pid	process
1096	ehIwdrF.exe

Loads dropped DLL 2 IoCs

Processes:

d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe

pid	process
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exeehIwdrF.exe

pid	process
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
1096	ehIwdrF.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
1096	ehIwdrF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exeehIwdrF.exe

description	pid	process
Token: SeBackupPrivilege	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
Token: SeBackupPrivilege	1096	ehIwdrF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exeehIwdrF.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 956 wrote to memory of 1096	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	ehIwdrF.exe
PID 956 wrote to memory of 1096	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	ehIwdrF.exe
PID 956 wrote to memory of 1096	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	ehIwdrF.exe
PID 956 wrote to memory of 1096	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	ehIwdrF.exe
PID 956 wrote to memory of 2576	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2576	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2576	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2576	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2568	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2568	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2568	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2568	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 1096 wrote to memory of 2628	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2628	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2628	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2628	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2712	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2712	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2712	1096	ehIwdrF.exe	net.exe
PID 1096 wrote to memory of 2712	1096	ehIwdrF.exe	net.exe
PID 956 wrote to memory of 2732	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2732	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2732	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2732	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2740	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2740	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2740	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 2740	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 2576 wrote to memory of 2944	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2944	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2944	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2944	2576	net.exe	net1.exe
PID 2732 wrote to memory of 2936	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2936	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2936	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2936	2732	net.exe	net1.exe
PID 2740 wrote to memory of 2928	2740	net.exe	net1.exe
PID 2740 wrote to memory of 2928	2740	net.exe	net1.exe
PID 2740 wrote to memory of 2928	2740	net.exe	net1.exe
PID 2740 wrote to memory of 2928	2740	net.exe	net1.exe
PID 2712 wrote to memory of 2960	2712	net.exe	net1.exe
PID 2712 wrote to memory of 2960	2712	net.exe	net1.exe
PID 2712 wrote to memory of 2960	2712	net.exe	net1.exe
PID 2712 wrote to memory of 2960	2712	net.exe	net1.exe
PID 2628 wrote to memory of 2968	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2968	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2968	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2968	2628	net.exe	net1.exe
PID 2568 wrote to memory of 2952	2568	net.exe	net1.exe
PID 2568 wrote to memory of 2952	2568	net.exe	net1.exe
PID 2568 wrote to memory of 2952	2568	net.exe	net1.exe
PID 2568 wrote to memory of 2952	2568	net.exe	net1.exe
PID 956 wrote to memory of 36324	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36324	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36324	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36324	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36684	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36684	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36684	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 956 wrote to memory of 36684	956	d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe	net.exe
PID 36684 wrote to memory of 36272	36684	net.exe	net1.exe
PID 36684 wrote to memory of 36272	36684	net.exe	net1.exe
PID 36684 wrote to memory of 36272	36684	net.exe	net1.exe
PID 36684 wrote to memory of 36272	36684	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe
"C:\Users\Admin\AppData\Local\Temp\d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\ehIwdrF.exe
"C:\Users\Admin\AppData\Local\Temp\ehIwdrF.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2968

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:37360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:37384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2936

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2928

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:36040

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:36684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:36272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:37284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37308

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:37320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:37348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
9f909c87c943643061f563964af0c430

SHA1
f5f309428d50e0d97ad9298f702258fd11e42b83

SHA256
3dc1de7393c37acbc12a27784d835c93195f1432b9a8e9187ef9eccfb0f4af74

SHA512
97041a378d31b6e6e528178c3a8b7c487e43f644960fadd7d2c41423a7c0bfa6295b1da7df3f8a18b0dbd3cf0309340e65315fd8999a478a7c1ce431d4fca863

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehIwdrF.exe
MD5
12147c94f3211733f893d31d587d4ad6

SHA1
708199a9a86894f464ec5a5d607ffb1093c096f4

SHA256
d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849

SHA512
3ef68160f44d16e3a305899d537773fdaace5ae6534eb185f3741bc2917f84457674a8bd1ad7db0c4b707a308f101cb3d49f7906bde7732dd26ed08cf9f6b1af

Download Submit
\Users\Admin\AppData\Local\Temp\ehIwdrF.exe
MD5
12147c94f3211733f893d31d587d4ad6

SHA1
708199a9a86894f464ec5a5d607ffb1093c096f4

SHA256
d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849

SHA512
3ef68160f44d16e3a305899d537773fdaace5ae6534eb185f3741bc2917f84457674a8bd1ad7db0c4b707a308f101cb3d49f7906bde7732dd26ed08cf9f6b1af

Download Submit
\Users\Admin\AppData\Local\Temp\ehIwdrF.exe
MD5
12147c94f3211733f893d31d587d4ad6

SHA1
708199a9a86894f464ec5a5d607ffb1093c096f4

SHA256
d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849

SHA512
3ef68160f44d16e3a305899d537773fdaace5ae6534eb185f3741bc2917f84457674a8bd1ad7db0c4b707a308f101cb3d49f7906bde7732dd26ed08cf9f6b1af

Download Submit
memory/956-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads