ryuk | b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32

Analysis

max time kernel
179s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Size

168KB
MD5

26ffd8020e1ce334c259ff92457c8d66
SHA1

c62df79f5e481720ecd3d835d476f246759e6149
SHA256

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32
SHA512

9731d30073c293f20d50f9202c1b5266bbd13f6a2c77794b0e5fbb3765a01bd807a327063edf36533c880b0da4d57e4b8d99518e34f559453f83889ec21f6de5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Token: SeBackupPrivilege	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1276	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	19
PID 1608 wrote to memory of 1372	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	20
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	29
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	29
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	29
PID 1608 wrote to memory of 1692	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	29
PID 1692 wrote to memory of 1132	1692	net.exe	31
PID 1692 wrote to memory of 1132	1692	net.exe	31
PID 1692 wrote to memory of 1132	1692	net.exe	31
PID 1692 wrote to memory of 1132	1692	net.exe	31
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	32
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	32
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	32
PID 1608 wrote to memory of 812	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	32
PID 812 wrote to memory of 1996	812	net.exe	34
PID 812 wrote to memory of 1996	812	net.exe	34
PID 812 wrote to memory of 1996	812	net.exe	34
PID 812 wrote to memory of 1996	812	net.exe	34
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	35
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	35
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	35
PID 1608 wrote to memory of 1620	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	35
PID 1620 wrote to memory of 2128	1620	net.exe	37
PID 1620 wrote to memory of 2128	1620	net.exe	37
PID 1620 wrote to memory of 2128	1620	net.exe	37
PID 1620 wrote to memory of 2128	1620	net.exe	37
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	39
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	39
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	39
PID 1608 wrote to memory of 9324	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	39
PID 9324 wrote to memory of 9348	9324	net.exe	41
PID 9324 wrote to memory of 9348	9324	net.exe	41
PID 9324 wrote to memory of 9348	9324	net.exe	41
PID 9324 wrote to memory of 9348	9324	net.exe	41
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	42
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	42
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	42
PID 1608 wrote to memory of 9392	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	42
PID 9392 wrote to memory of 9420	9392	net.exe	44
PID 9392 wrote to memory of 9420	9392	net.exe	44
PID 9392 wrote to memory of 9420	9392	net.exe	44
PID 9392 wrote to memory of 9420	9392	net.exe	44
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	45
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	45
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	45
PID 1608 wrote to memory of 16520	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	45
PID 16520 wrote to memory of 16544	16520	net.exe	47
PID 16520 wrote to memory of 16544	16520	net.exe	47
PID 16520 wrote to memory of 16544	16520	net.exe	47
PID 16520 wrote to memory of 16544	16520	net.exe	47
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	48
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	48
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	48
PID 1608 wrote to memory of 25644	1608	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	48
PID 25644 wrote to memory of 25668	25644	net.exe	50
PID 25644 wrote to memory of 25668	25644	net.exe	50
PID 25644 wrote to memory of 25668	25644	net.exe	50
PID 25644 wrote to memory of 25668	25644	net.exe	50

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
"C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1996
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:9420
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:25644
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:25668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-55-0x0000000030000000-0x00000000302D1000-memory.dmp

Filesize
2.8MB

Download
memory/1608-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download