ryuk | c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d

General

Target

c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
Size

123KB
MD5

d1f9c714cf20a56b8d9098576b414a54
SHA1

0fa4bfde84904faa39e495719ee2b8082726cd69
SHA256

c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d
SHA512

8aac5846d4ee49e550064c2c10bd0ec3ee0606cef67654b88635c5bf51da97aa59a7ad29b48b0bbe4b1f3e429691e175824e117d957183fabcb0f6c1a00737e0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'v2h23wYU3a'; $torlink = 'http://uxehdntwmf6g6fz6237ml4ka6ht4o2yx2dvmvnj36a6wisyxhrapnfqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://uxehdntwmf6g6fz6237ml4ka6ht4o2yx2dvmvnj36a6wisyxhrapnfqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
592	lYcQIXTbcrep.exe
1072	ChMApcjDnlan.exe
5612	icoRzHWvylan.exe

Loads dropped DLL 6 IoCs

pid	Process
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
42436	icacls.exe
42444	icacls.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 592	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	29
PID 332 wrote to memory of 592	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	29
PID 332 wrote to memory of 592	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	29
PID 332 wrote to memory of 592	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	29
PID 332 wrote to memory of 1072	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	30
PID 332 wrote to memory of 1072	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	30
PID 332 wrote to memory of 1072	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	30
PID 332 wrote to memory of 1072	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	30
PID 332 wrote to memory of 5612	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	31
PID 332 wrote to memory of 5612	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	31
PID 332 wrote to memory of 5612	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	31
PID 332 wrote to memory of 5612	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	31
PID 332 wrote to memory of 42436	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	32
PID 332 wrote to memory of 42436	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	32
PID 332 wrote to memory of 42436	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	32
PID 332 wrote to memory of 42436	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	32
PID 332 wrote to memory of 42444	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	33
PID 332 wrote to memory of 42444	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	33
PID 332 wrote to memory of 42444	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	33
PID 332 wrote to memory of 42444	332	c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe	33

C:\Users\Admin\AppData\Local\Temp\c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe
"C:\Users\Admin\AppData\Local\Temp\c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\lYcQIXTbcrep.exe
  "C:\Users\Admin\AppData\Local\Temp\lYcQIXTbcrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Users\Admin\AppData\Local\Temp\ChMApcjDnlan.exe
  "C:\Users\Admin\AppData\Local\Temp\ChMApcjDnlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\icoRzHWvylan.exe
  "C:\Users\Admin\AppData\Local\Temp\icoRzHWvylan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:5612
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:42436
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:42444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing