ryuk | b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32

General

Target

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Size

168KB
MD5

26ffd8020e1ce334c259ff92457c8d66
SHA1

c62df79f5e481720ecd3d835d476f246759e6149
SHA256

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32
SHA512

9731d30073c293f20d50f9202c1b5266bbd13f6a2c77794b0e5fbb3765a01bd807a327063edf36533c880b0da4d57e4b8d99518e34f559453f83889ec21f6de5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

pid	process
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

description	pid	process
Token: SeDebugPrivilege	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Token: SeBackupPrivilege	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1608 wrote to memory of 1276	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	taskhost.exe
PID 1608 wrote to memory of 1372	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	Dwm.exe
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1692 wrote to memory of 1132	1692	net.exe	net1.exe
PID 1692 wrote to memory of 1132	1692	net.exe	net1.exe
PID 1692 wrote to memory of 1132	1692	net.exe	net1.exe
PID 1692 wrote to memory of 1132	1692	net.exe	net1.exe
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 812 wrote to memory of 1996	812	net.exe	net1.exe
PID 812 wrote to memory of 1996	812	net.exe	net1.exe
PID 812 wrote to memory of 1996	812	net.exe	net1.exe
PID 812 wrote to memory of 1996	812	net.exe	net1.exe
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1620 wrote to memory of 2128	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2128	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2128	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2128	1620	net.exe	net1.exe
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 9324 wrote to memory of 9348	9324	net.exe	net1.exe
PID 9324 wrote to memory of 9348	9324	net.exe	net1.exe
PID 9324 wrote to memory of 9348	9324	net.exe	net1.exe
PID 9324 wrote to memory of 9348	9324	net.exe	net1.exe
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 9392 wrote to memory of 9420	9392	net.exe	net1.exe
PID 9392 wrote to memory of 9420	9392	net.exe	net1.exe
PID 9392 wrote to memory of 9420	9392	net.exe	net1.exe
PID 9392 wrote to memory of 9420	9392	net.exe	net1.exe
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 16520 wrote to memory of 16544	16520	net.exe	net1.exe
PID 16520 wrote to memory of 16544	16520	net.exe	net1.exe
PID 16520 wrote to memory of 16544	16520	net.exe	net1.exe
PID 16520 wrote to memory of 16544	16520	net.exe	net1.exe
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 25644 wrote to memory of 25668	25644	net.exe	net1.exe
PID 25644 wrote to memory of 25668	25644	net.exe	net1.exe
PID 25644 wrote to memory of 25668	25644	net.exe	net1.exe
PID 25644 wrote to memory of 25668	25644	net.exe	net1.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
"C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2128

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:9324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:9348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:9392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:9420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16544

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:25644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:25668

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-55-0x0000000030000000-0x00000000302D1000-memory.dmp

Filesize
2.8MB

Download
memory/1608-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads