ryuk | b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32

General

Target

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Size

168KB
MD5

26ffd8020e1ce334c259ff92457c8d66
SHA1

c62df79f5e481720ecd3d835d476f246759e6149
SHA256

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32
SHA512

9731d30073c293f20d50f9202c1b5266bbd13f6a2c77794b0e5fbb3765a01bd807a327063edf36533c880b0da4d57e4b8d99518e34f559453f83889ec21f6de5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

pid	process
4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

description	pid	process
Token: SeDebugPrivilege	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Token: SeBackupPrivilege	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4904 wrote to memory of 2336	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	svchost.exe
PID 4904 wrote to memory of 2344	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	sihost.exe
PID 4904 wrote to memory of 2432	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	taskhostw.exe
PID 4904 wrote to memory of 2972	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	svchost.exe
PID 4904 wrote to memory of 3260	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	DllHost.exe
PID 4904 wrote to memory of 3348	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	StartMenuExperienceHost.exe
PID 4904 wrote to memory of 3424	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 3508	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	SearchApp.exe
PID 4904 wrote to memory of 3708	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 3660	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 1324	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	backgroundTaskHost.exe
PID 4904 wrote to memory of 392	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 2784	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 2784	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 2784	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 1272	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 1272	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 1272	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 4752	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 4752	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 4752	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 4452	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 4452	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 4904 wrote to memory of 4452	4904	b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe	net.exe
PID 2784 wrote to memory of 3916	2784	net.exe	net1.exe
PID 2784 wrote to memory of 3916	2784	net.exe	net1.exe
PID 2784 wrote to memory of 3916	2784	net.exe	net1.exe
PID 1272 wrote to memory of 2412	1272	net.exe	net1.exe
PID 1272 wrote to memory of 2412	1272	net.exe	net1.exe
PID 1272 wrote to memory of 2412	1272	net.exe	net1.exe
PID 4452 wrote to memory of 1704	4452	net.exe	net1.exe
PID 4452 wrote to memory of 1704	4452	net.exe	net1.exe
PID 4452 wrote to memory of 1704	4452	net.exe	net1.exe
PID 4752 wrote to memory of 860	4752	net.exe	net1.exe
PID 4752 wrote to memory of 860	4752	net.exe	net1.exe
PID 4752 wrote to memory of 860	4752	net.exe	net1.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
"C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2972

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads