ryuk | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

Analysis

max time kernel
167s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
Size

191KB
MD5

856961d44f9e6775ad573cf58c438a2a
SHA1

818bbf02fd1bd0eda9ee62c73b63266bf859e699
SHA256

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c
SHA512

d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

gimaDgm.exe

pid process

1072 gimaDgm.exe

pid	process
1072	gimaDgm.exe

Loads dropped DLL 6 IoCs

Processes:

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exeWerFault.exe

pid	process
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

15876 1072 WerFault.exe gimaDgm.exe
Runs net.exe

pid	pid_target	process	target process
15876	1072	WerFault.exe	gimaDgm.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exegimaDgm.exeWerFault.exe

pid	process
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
1072	gimaDgm.exe
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
1072	gimaDgm.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
15876	WerFault.exe
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exegimaDgm.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
Token: SeBackupPrivilege	1072	gimaDgm.exe
Token: SeDebugPrivilege	15876	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exegimaDgm.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1404 wrote to memory of 1072	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	gimaDgm.exe
PID 1404 wrote to memory of 1072	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	gimaDgm.exe
PID 1404 wrote to memory of 1072	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	gimaDgm.exe
PID 1404 wrote to memory of 1072	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	gimaDgm.exe
PID 1404 wrote to memory of 2204	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2204	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2204	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2204	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1072 wrote to memory of 2212	1072	gimaDgm.exe	net.exe
PID 1072 wrote to memory of 2212	1072	gimaDgm.exe	net.exe
PID 1072 wrote to memory of 2212	1072	gimaDgm.exe	net.exe
PID 1072 wrote to memory of 2212	1072	gimaDgm.exe	net.exe
PID 1404 wrote to memory of 2220	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2220	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2220	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2220	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2288	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2288	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2288	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2288	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2296	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2296	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2296	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 2296	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1072 wrote to memory of 2304	1072	gimaDgm.exe	net.exe
PID 1072 wrote to memory of 2304	1072	gimaDgm.exe	net.exe
PID 1072 wrote to memory of 2304	1072	gimaDgm.exe	net.exe
PID 1072 wrote to memory of 2304	1072	gimaDgm.exe	net.exe
PID 2204 wrote to memory of 2820	2204	net.exe	net1.exe
PID 2204 wrote to memory of 2820	2204	net.exe	net1.exe
PID 2204 wrote to memory of 2820	2204	net.exe	net1.exe
PID 2204 wrote to memory of 2820	2204	net.exe	net1.exe
PID 2212 wrote to memory of 2828	2212	net.exe	net1.exe
PID 2212 wrote to memory of 2828	2212	net.exe	net1.exe
PID 2212 wrote to memory of 2828	2212	net.exe	net1.exe
PID 2212 wrote to memory of 2828	2212	net.exe	net1.exe
PID 2288 wrote to memory of 2860	2288	net.exe	net1.exe
PID 2288 wrote to memory of 2860	2288	net.exe	net1.exe
PID 2288 wrote to memory of 2860	2288	net.exe	net1.exe
PID 2288 wrote to memory of 2860	2288	net.exe	net1.exe
PID 2296 wrote to memory of 2836	2296	net.exe	net1.exe
PID 2296 wrote to memory of 2836	2296	net.exe	net1.exe
PID 2296 wrote to memory of 2836	2296	net.exe	net1.exe
PID 2296 wrote to memory of 2836	2296	net.exe	net1.exe
PID 2304 wrote to memory of 2852	2304	net.exe	net1.exe
PID 2304 wrote to memory of 2852	2304	net.exe	net1.exe
PID 2304 wrote to memory of 2852	2304	net.exe	net1.exe
PID 2304 wrote to memory of 2852	2304	net.exe	net1.exe
PID 2220 wrote to memory of 2844	2220	net.exe	net1.exe
PID 2220 wrote to memory of 2844	2220	net.exe	net1.exe
PID 2220 wrote to memory of 2844	2220	net.exe	net1.exe
PID 2220 wrote to memory of 2844	2220	net.exe	net1.exe
PID 1072 wrote to memory of 15876	1072	gimaDgm.exe	WerFault.exe
PID 1072 wrote to memory of 15876	1072	gimaDgm.exe	WerFault.exe
PID 1072 wrote to memory of 15876	1072	gimaDgm.exe	WerFault.exe
PID 1072 wrote to memory of 15876	1072	gimaDgm.exe	WerFault.exe
PID 1404 wrote to memory of 15952	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15952	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15952	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15952	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15960	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15960	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15960	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe
PID 1404 wrote to memory of 15960	1404	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
"C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe
"C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2828

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 17052
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:15876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2844

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2836

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:15960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:15952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:20872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:20920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:20880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:20928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2329389628-4064185017-3901522362-1000\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
1acc3c1ef21d045cd29a81a1ae83ae80

SHA1
fbbfd9b338875e79522f139cfac1ef696a50527b

SHA256
de569f619870bb738523da38b9526bf6760b479a8d50f9cc2a78eed10493a758

SHA512
e1a98d2ab5cf95420fa7f6f96e39aade374f87d455530468286baf9ad78f40e8aa9f18c1e4d7710c37bc2dba6e73a6a89c31ab2a8134e663ec07adff41363dbf

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
eeae33f6319833acff6ed78524dc44b8

SHA1
1471f98e6d9081874d5a6da23060dceadcfbe5b9

SHA256
f4e7d2847e6f43ad0039338ec59480ed2e949706bc8141e26c9a3a2b5eb7ead1

SHA512
8f1da0d82c255239e85e8173603a9c7e2089bee3533bf49dfa22748f5528737d1745b7d80e07b77edf322a3e3253599bf42cf11b8dbd8524b8fe7ce9f6671add

Download Submit
C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
MD5
856961d44f9e6775ad573cf58c438a2a

SHA1
818bbf02fd1bd0eda9ee62c73b63266bf859e699

SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

SHA512
d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Download Submit
memory/1404-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download