ryuk | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c

Analysis

max time kernel
227s
max time network
242s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
Size

191KB
MD5

856961d44f9e6775ad573cf58c438a2a
SHA1

818bbf02fd1bd0eda9ee62c73b63266bf859e699
SHA256

aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c
SHA512

d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
2176	UyLcPnD.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	UyLcPnD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
2176	UyLcPnD.exe
2176	UyLcPnD.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
2176	UyLcPnD.exe
2176	UyLcPnD.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2176	UyLcPnD.exe
Token: SeBackupPrivilege	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2176	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	84
PID 4448 wrote to memory of 2176	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	84
PID 4448 wrote to memory of 2176	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	84
PID 4448 wrote to memory of 480	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	85
PID 4448 wrote to memory of 480	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	85
PID 4448 wrote to memory of 480	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	85
PID 4448 wrote to memory of 3484	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	87
PID 4448 wrote to memory of 3484	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	87
PID 4448 wrote to memory of 3484	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	87
PID 480 wrote to memory of 5064	480	net.exe	89
PID 480 wrote to memory of 5064	480	net.exe	89
PID 480 wrote to memory of 5064	480	net.exe	89
PID 3484 wrote to memory of 3044	3484	net.exe	90
PID 3484 wrote to memory of 3044	3484	net.exe	90
PID 3484 wrote to memory of 3044	3484	net.exe	90
PID 4448 wrote to memory of 3448	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	91
PID 4448 wrote to memory of 3448	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	91
PID 4448 wrote to memory of 3448	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	91
PID 3448 wrote to memory of 4740	3448	net.exe	93
PID 3448 wrote to memory of 4740	3448	net.exe	93
PID 3448 wrote to memory of 4740	3448	net.exe	93
PID 4448 wrote to memory of 3496	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	94
PID 4448 wrote to memory of 3496	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	94
PID 4448 wrote to memory of 3496	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	94
PID 2176 wrote to memory of 3344	2176	UyLcPnD.exe	96
PID 2176 wrote to memory of 3344	2176	UyLcPnD.exe	96
PID 2176 wrote to memory of 3344	2176	UyLcPnD.exe	96
PID 3496 wrote to memory of 864	3496	net.exe	98
PID 3496 wrote to memory of 864	3496	net.exe	98
PID 3496 wrote to memory of 864	3496	net.exe	98
PID 3344 wrote to memory of 2856	3344	net.exe	99
PID 3344 wrote to memory of 2856	3344	net.exe	99
PID 3344 wrote to memory of 2856	3344	net.exe	99
PID 2176 wrote to memory of 2392	2176	UyLcPnD.exe	100
PID 2176 wrote to memory of 2392	2176	UyLcPnD.exe	100
PID 2176 wrote to memory of 2392	2176	UyLcPnD.exe	100
PID 2392 wrote to memory of 3852	2392	net.exe	102
PID 2392 wrote to memory of 3852	2392	net.exe	102
PID 2392 wrote to memory of 3852	2392	net.exe	102
PID 4448 wrote to memory of 10892	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	105
PID 4448 wrote to memory of 10892	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	105
PID 4448 wrote to memory of 10892	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	105
PID 4448 wrote to memory of 10896	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	104
PID 4448 wrote to memory of 10896	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	104
PID 4448 wrote to memory of 10896	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	104
PID 10896 wrote to memory of 11060	10896	net.exe	108
PID 10896 wrote to memory of 11060	10896	net.exe	108
PID 10896 wrote to memory of 11060	10896	net.exe	108
PID 10892 wrote to memory of 11012	10892	net.exe	109
PID 10892 wrote to memory of 11012	10892	net.exe	109
PID 10892 wrote to memory of 11012	10892	net.exe	109
PID 4448 wrote to memory of 1480	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	112
PID 4448 wrote to memory of 1480	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	112
PID 4448 wrote to memory of 1480	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	112
PID 4448 wrote to memory of 5464	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	111
PID 4448 wrote to memory of 5464	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	111
PID 4448 wrote to memory of 5464	4448	aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe	111
PID 1480 wrote to memory of 4756	1480	net.exe	115
PID 1480 wrote to memory of 4756	1480	net.exe	115
PID 1480 wrote to memory of 4756	1480	net.exe	115
PID 5464 wrote to memory of 4752	5464	net.exe	116
PID 5464 wrote to memory of 4752	5464	net.exe	116
PID 5464 wrote to memory of 4752	5464	net.exe	116

C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
"C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe
  "C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:3852
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5064
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3044
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:864
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:11060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:11012
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4752
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads