ryuk | 92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d

Analysis

max time kernel
170s
max time network
147s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
Size

192KB
MD5

038fecb750d14f0a31fa83f3f95b7e88
SHA1

b5e793997283f6706d89f3f9f05389bd786c63b4
SHA256

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d
SHA512

79263ae2f6489382995a9baab87aec46b91665221b6a837b642143587c095d8cf4a6f03c8f8a2883405ba16a750d987c374f88623d83fdd1d3d7467cf77c82ed

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1456	yXivCIQ.exe

Loads dropped DLL 2 IoCs

pid	Process
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
1456	yXivCIQ.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
1456	yXivCIQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
Token: SeBackupPrivilege	1456	yXivCIQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	27
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	27
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	27
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	27
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	28
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	28
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	28
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	28
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	29
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	29
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	29
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	29
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	32
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	32
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	32
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	32
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	35
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	35
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	35
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	35
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	34
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	34
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	34
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	34
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	38
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	38
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	38
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	38
PID 1576 wrote to memory of 2748	1576	net.exe	47
PID 1576 wrote to memory of 2748	1576	net.exe	47
PID 1576 wrote to memory of 2748	1576	net.exe	47
PID 1576 wrote to memory of 2748	1576	net.exe	47
PID 2072 wrote to memory of 2772	2072	net.exe	42
PID 2072 wrote to memory of 2772	2072	net.exe	42
PID 2072 wrote to memory of 2772	2072	net.exe	42
PID 2072 wrote to memory of 2772	2072	net.exe	42
PID 1836 wrote to memory of 2740	1836	net.exe	46
PID 1836 wrote to memory of 2740	1836	net.exe	46
PID 1836 wrote to memory of 2740	1836	net.exe	46
PID 1836 wrote to memory of 2740	1836	net.exe	46
PID 2160 wrote to memory of 2756	2160	net.exe	43
PID 2160 wrote to memory of 2756	2160	net.exe	43
PID 2160 wrote to memory of 2756	2160	net.exe	43
PID 2160 wrote to memory of 2756	2160	net.exe	43
PID 2080 wrote to memory of 2764	2080	net.exe	45
PID 2080 wrote to memory of 2764	2080	net.exe	45
PID 2080 wrote to memory of 2764	2080	net.exe	45
PID 2080 wrote to memory of 2764	2080	net.exe	45
PID 340 wrote to memory of 2780	340	net.exe	44
PID 340 wrote to memory of 2780	340	net.exe	44
PID 340 wrote to memory of 2780	340	net.exe	44
PID 340 wrote to memory of 2780	340	net.exe	44
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	49
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	49
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	49
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	49
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	48
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	48
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	48
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	48
PID 31120 wrote to memory of 31236	31120	net.exe	52
PID 31120 wrote to memory of 31236	31120	net.exe	52
PID 31120 wrote to memory of 31236	31120	net.exe	52
PID 31120 wrote to memory of 31236	31120	net.exe	52

C:\Users\Admin\AppData\Local\Temp\92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
"C:\Users\Admin\AppData\Local\Temp\92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\yXivCIQ.exe
  "C:\Users\Admin\AppData\Local\Temp\yXivCIQ.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:42752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:42776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2772
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2764
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:31120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:31236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:31084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:31228
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:36656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:36704
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:36648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:36696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/1456-62-0x000000000E140000-0x000000000EBFA000-memory.dmp

Filesize
10.7MB

Download