ryuk | cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478

General

Target

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
Size

123KB
MD5

c22c2847e3318190b9c9f16dc4b044ca
SHA1

c6f8e944701b557a905754551cc939b9c4956bdc
SHA256

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478
SHA512

2f1e14bfd5134760a62db30980b8541ead8ffe1ac244e2699d46b255b36299d0e87aab8281b7a08b0c77a9da45ab7a812cbd42147fcdf00246fe6f4afe251012

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2952 icacls.exe
3500 icacls.exe

pid	process
2952	icacls.exe
3500	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\RyukReadMe.html	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

3836 SCHTASKS.exe

pid	process
3836	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe

pid	process
3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.execmd.exe

description	pid	process	target process
PID 3420 wrote to memory of 3836	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 3420 wrote to memory of 3836	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 3420 wrote to memory of 3836	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	SCHTASKS.exe
PID 3420 wrote to memory of 2956	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 2956	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 2956	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 1824	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 1824	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 1824	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 4680	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 4680	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 4680	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 644	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 644	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 644	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	cmd.exe
PID 3420 wrote to memory of 3500	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 3420 wrote to memory of 3500	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 3420 wrote to memory of 3500	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 3420 wrote to memory of 2952	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 3420 wrote to memory of 2952	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 3420 wrote to memory of 2952	3420	cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe	icacls.exe
PID 2956 wrote to memory of 1360	2956	cmd.exe	WMIC.exe
PID 2956 wrote to memory of 1360	2956	cmd.exe	WMIC.exe
PID 2956 wrote to memory of 1360	2956	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe
"C:\Users\Admin\AppData\Local\Temp\cb6e0dcae5a36d4f8bf939b4928708f26453cdef324c205e809b6fec484cf478.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "Print6z" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\xnDai.dll" /ST 10:25 /SD 02/21/2022 /ED 02/28/2022
2⤵
- Creates scheduled task(s)
PID:3836