ryuk | 943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1

Analysis

max time kernel
154s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
Size

188KB
MD5

a17dd2f7ad9f6aceffe1cebe038035af
SHA1

3e792a39abc45eb3c10084e76c8ddaeb48cb2f93
SHA256

943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1
SHA512

1f968febf046ec88644d4ddfc9ba1e4180b9dad8b671f337ded2c350bbea73d2fd25b68741a649c4e0974e0db0b5bd8520092327f6b1f65b2361d2c0db859ede

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
668	ZZKOWPV.exe

Loads dropped DLL 2 IoCs

pid	Process
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
File opened (read-only)	\??\A:	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
668	ZZKOWPV.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
668	ZZKOWPV.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
668	ZZKOWPV.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
Token: SeBackupPrivilege	668	ZZKOWPV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	28
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	28
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	28
PID 1572 wrote to memory of 668	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	28
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	30
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	30
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	30
PID 1572 wrote to memory of 1744	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	30
PID 1744 wrote to memory of 1356	1744	net.exe	32
PID 1744 wrote to memory of 1356	1744	net.exe	32
PID 1744 wrote to memory of 1356	1744	net.exe	32
PID 1744 wrote to memory of 1356	1744	net.exe	32
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	33
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	33
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	33
PID 1572 wrote to memory of 804	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	33
PID 804 wrote to memory of 296	804	net.exe	35
PID 804 wrote to memory of 296	804	net.exe	35
PID 804 wrote to memory of 296	804	net.exe	35
PID 804 wrote to memory of 296	804	net.exe	35
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	36
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	36
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	36
PID 1572 wrote to memory of 1940	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	36
PID 1940 wrote to memory of 1608	1940	net.exe	38
PID 1940 wrote to memory of 1608	1940	net.exe	38
PID 1940 wrote to memory of 1608	1940	net.exe	38
PID 1940 wrote to memory of 1608	1940	net.exe	38
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	39
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	39
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	39
PID 668 wrote to memory of 1796	668	ZZKOWPV.exe	39
PID 1796 wrote to memory of 2024	1796	net.exe	41
PID 1796 wrote to memory of 2024	1796	net.exe	41
PID 1796 wrote to memory of 2024	1796	net.exe	41
PID 1796 wrote to memory of 2024	1796	net.exe	41
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	42
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	42
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	42
PID 1572 wrote to memory of 14256	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	42
PID 14256 wrote to memory of 14224	14256	net.exe	44
PID 14256 wrote to memory of 14224	14256	net.exe	44
PID 14256 wrote to memory of 14224	14256	net.exe	44
PID 14256 wrote to memory of 14224	14256	net.exe	44
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	45
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	45
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	45
PID 1572 wrote to memory of 23284	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	45
PID 23284 wrote to memory of 22808	23284	net.exe	47
PID 23284 wrote to memory of 22808	23284	net.exe	47
PID 23284 wrote to memory of 22808	23284	net.exe	47
PID 23284 wrote to memory of 22808	23284	net.exe	47
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	48
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	48
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	48
PID 668 wrote to memory of 27032	668	ZZKOWPV.exe	48
PID 27032 wrote to memory of 27056	27032	net.exe	50
PID 27032 wrote to memory of 27056	27032	net.exe	50
PID 27032 wrote to memory of 27056	27032	net.exe	50
PID 27032 wrote to memory of 27056	27032	net.exe	50
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	51
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	51
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	51
PID 1572 wrote to memory of 27100	1572	943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe	51

C:\Users\Admin\AppData\Local\Temp\943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe
"C:\Users\Admin\AppData\Local\Temp\943a8b4e4811321db2013618261ae4b7ea7ec55b78afbe0bab7123e0ba4436f1.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe
  "C:\Users\Admin\AppData\Local\Temp\ZZKOWPV.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:27032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:27056
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:45300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:45396
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1356
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:14256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:14224
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:23284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:22808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:27100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:35508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:35532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download