ryuk | 943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1

General

Target

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
Size

188KB
MD5

a17dd2f7ad9f6aceffe1cebe038035af
SHA1

3e792a39abc45eb3c10084e76c8ddaeb48cb2f93
SHA256

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1
SHA512

1f968febf046ec88644d4ddfc9ba1e4180b9dad8b671f337ded2c350bbea73d2fd25b68741a649c4e0974e0db0b5bd8520092327f6b1f65b2361d2c0db859ede

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

ZZKOWPV.exe

pid process

668 ZZKOWPV.exe

pid	process
668	ZZKOWPV.exe

Loads dropped DLL 2 IoCs

Processes:

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe

pid	process
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe

description	ioc	process
File opened (read-only)	\??\a:	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
File opened (read-only)	\??\A:	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exeZZKOWPV.exe

pid	process
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
668	ZZKOWPV.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
668	ZZKOWPV.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
668	ZZKOWPV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exeZZKOWPV.exe

description	pid	process
Token: SeBackupPrivilege	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
Token: SeBackupPrivilege	668	ZZKOWPV.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exenet.exenet.exenet.exeZZKOWPV.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	ZZKOWPV.exe
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	ZZKOWPV.exe
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	ZZKOWPV.exe
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	ZZKOWPV.exe
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1744 wrote to memory of 1356	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1356	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1356	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1356	1744	net.exe	net1.exe
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 804 wrote to memory of 296	804	net.exe	net1.exe
PID 804 wrote to memory of 296	804	net.exe	net1.exe
PID 804 wrote to memory of 296	804	net.exe	net1.exe
PID 804 wrote to memory of 296	804	net.exe	net1.exe
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1940 wrote to memory of 1608	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1608	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1608	1940	net.exe	net1.exe
PID 1940 wrote to memory of 1608	1940	net.exe	net1.exe
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	net.exe
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	net.exe
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	net.exe
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	net.exe
PID 1796 wrote to memory of 2024	1796	net.exe	net1.exe
PID 1796 wrote to memory of 2024	1796	net.exe	net1.exe
PID 1796 wrote to memory of 2024	1796	net.exe	net1.exe
PID 1796 wrote to memory of 2024	1796	net.exe	net1.exe
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 14256 wrote to memory of 14224	14256	net.exe	net1.exe
PID 14256 wrote to memory of 14224	14256	net.exe	net1.exe
PID 14256 wrote to memory of 14224	14256	net.exe	net1.exe
PID 14256 wrote to memory of 14224	14256	net.exe	net1.exe
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 23284 wrote to memory of 22808	23284	net.exe	net1.exe
PID 23284 wrote to memory of 22808	23284	net.exe	net1.exe
PID 23284 wrote to memory of 22808	23284	net.exe	net1.exe
PID 23284 wrote to memory of 22808	23284	net.exe	net1.exe
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	net.exe
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	net.exe
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	net.exe
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	net.exe
PID 27032 wrote to memory of 27056	27032	net.exe	net1.exe
PID 27032 wrote to memory of 27056	27032	net.exe	net1.exe
PID 27032 wrote to memory of 27056	27032	net.exe	net1.exe
PID 27032 wrote to memory of 27056	27032	net.exe	net1.exe
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
"C:\Users\Admin\AppData\Local\Temp\943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe
  "C:\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:27032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:27056
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:45300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:45396
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1356
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:14256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:14224
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:23284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:22808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:27100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:35508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:35532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
5800540c6004379d2481fc21c3dd0dee

SHA1
054e9529478c151ea7212a18e19b48cf99f85413

SHA256
249f6711f87d25292231bebe920b762824f1ac24e83af045cea72543fa416f6d

SHA512
3dd6dcd748ffd913425c911af3730865de5ae0cef41442be89f1b10302ac5a17e851640f6634ff916600b4c1bc2db0e80fe2bf774c021a1f6ff14589f8962dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe

MD5
a17dd2f7ad9f6aceffe1cebe038035af

SHA1
3e792a39abc45eb3c10084e76c8ddaeb48cb2f93

SHA256
943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1

SHA512
1f968febf046ec88644d4ddfc9ba1e4180b9dad8b671f337ded2c350bbea73d2fd25b68741a649c4e0974e0db0b5bd8520092327f6b1f65b2361d2c0db859ede

Download Submit
\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe

MD5
a17dd2f7ad9f6aceffe1cebe038035af

SHA1
3e792a39abc45eb3c10084e76c8ddaeb48cb2f93

SHA256
943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1

SHA512
1f968febf046ec88644d4ddfc9ba1e4180b9dad8b671f337ded2c350bbea73d2fd25b68741a649c4e0974e0db0b5bd8520092327f6b1f65b2361d2c0db859ede

Download Submit
\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe

MD5
a17dd2f7ad9f6aceffe1cebe038035af

SHA1
3e792a39abc45eb3c10084e76c8ddaeb48cb2f93

SHA256
943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1

SHA512
1f968febf046ec88644d4ddfc9ba1e4180b9dad8b671f337ded2c350bbea73d2fd25b68741a649c4e0974e0db0b5bd8520092327f6b1f65b2361d2c0db859ede

Download Submit
memory/1572-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads