ryuk | c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028

General

Target

c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028.dll
Size

130KB
MD5

1e2b8973130672a1e739b035d30155b0
SHA1

b4f098806ac9060f0f4dd3d63e8d831c69be6c81
SHA256

c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028
SHA512

a4be4accd1f5a7ab4131b477f61565822f545cff1c89e6167de4f07fa7bb1a8204c87c7ad7a40c83ed54161f5f4e6853196bb843949222384efd561692e2c4be

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1164	PFeXAUzHLrep.exe
1148	UpHVkmBhClan.exe
968	oLKOhKLNOlan.exe

Loads dropped DLL 3 IoCs

pid	Process
1680	rundll32.exe
1680	rundll32.exe
1680	rundll32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1964	icacls.exe
1924	icacls.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oLKOhKLNOlan.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\oLKOhKLNOlan.exe	rundll32.exe
File created	C:\Windows\SysWOW64\PFeXAUzHLrep.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\PFeXAUzHLrep.exe	rundll32.exe
File created	C:\Windows\SysWOW64\UpHVkmBhClan.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\UpHVkmBhClan.exe	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1652 wrote to memory of 1680	1652	rundll32.exe	27
PID 1680 wrote to memory of 1164	1680	rundll32.exe	29
PID 1680 wrote to memory of 1164	1680	rundll32.exe	29
PID 1680 wrote to memory of 1164	1680	rundll32.exe	29
PID 1680 wrote to memory of 1164	1680	rundll32.exe	29
PID 1680 wrote to memory of 1148	1680	rundll32.exe	31
PID 1680 wrote to memory of 1148	1680	rundll32.exe	31
PID 1680 wrote to memory of 1148	1680	rundll32.exe	31
PID 1680 wrote to memory of 1148	1680	rundll32.exe	31
PID 1680 wrote to memory of 968	1680	rundll32.exe	32
PID 1680 wrote to memory of 968	1680	rundll32.exe	32
PID 1680 wrote to memory of 968	1680	rundll32.exe	32
PID 1680 wrote to memory of 968	1680	rundll32.exe	32
PID 1680 wrote to memory of 1964	1680	rundll32.exe	33
PID 1680 wrote to memory of 1964	1680	rundll32.exe	33
PID 1680 wrote to memory of 1964	1680	rundll32.exe	33
PID 1680 wrote to memory of 1964	1680	rundll32.exe	33
PID 1680 wrote to memory of 1924	1680	rundll32.exe	34
PID 1680 wrote to memory of 1924	1680	rundll32.exe	34
PID 1680 wrote to memory of 1924	1680	rundll32.exe	34
PID 1680 wrote to memory of 1924	1680	rundll32.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\PFeXAUzHLrep.exe
    "C:\Windows\SysWOW64\PFeXAUzHLrep.exe" 9 REP
    3⤵
    - Executes dropped EXE
    PID:1164
- - C:\Windows\SysWOW64\UpHVkmBhClan.exe
    "C:\Windows\SysWOW64\UpHVkmBhClan.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\oLKOhKLNOlan.exe
    "C:\Windows\SysWOW64\oLKOhKLNOlan.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000035000000-0x0000000035028000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing