ryuk | 92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d

General

Target

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
Size

192KB
MD5

038fecb750d14f0a31fa83f3f95b7e88
SHA1

b5e793997283f6706d89f3f9f05389bd786c63b4
SHA256

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d
SHA512

79263ae2f6489382995a9baab87aec46b91665221b6a837b642143587c095d8cf4a6f03c8f8a2883405ba16a750d987c374f88623d83fdd1d3d7467cf77c82ed

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

yXivCIQ.exe

pid process

1456 yXivCIQ.exe

pid	process
1456	yXivCIQ.exe

Loads dropped DLL 2 IoCs

Processes:

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe

pid	process
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exeyXivCIQ.exe

pid	process
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
1456	yXivCIQ.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
1456	yXivCIQ.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
1456	yXivCIQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exeyXivCIQ.exe

description	pid	process
Token: SeBackupPrivilege	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
Token: SeBackupPrivilege	1456	yXivCIQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exeyXivCIQ.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	yXivCIQ.exe
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	yXivCIQ.exe
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	yXivCIQ.exe
PID 960 wrote to memory of 1456	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	yXivCIQ.exe
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 340	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 1836	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	net.exe
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	net.exe
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	net.exe
PID 1456 wrote to memory of 1576	1456	yXivCIQ.exe	net.exe
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2080	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 2072	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	net.exe
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	net.exe
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	net.exe
PID 1456 wrote to memory of 2160	1456	yXivCIQ.exe	net.exe
PID 1576 wrote to memory of 2748	1576	net.exe	net1.exe
PID 1576 wrote to memory of 2748	1576	net.exe	net1.exe
PID 1576 wrote to memory of 2748	1576	net.exe	net1.exe
PID 1576 wrote to memory of 2748	1576	net.exe	net1.exe
PID 2072 wrote to memory of 2772	2072	net.exe	net1.exe
PID 2072 wrote to memory of 2772	2072	net.exe	net1.exe
PID 2072 wrote to memory of 2772	2072	net.exe	net1.exe
PID 2072 wrote to memory of 2772	2072	net.exe	net1.exe
PID 1836 wrote to memory of 2740	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2740	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2740	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2740	1836	net.exe	net1.exe
PID 2160 wrote to memory of 2756	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2756	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2756	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2756	2160	net.exe	net1.exe
PID 2080 wrote to memory of 2764	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2764	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2764	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2764	2080	net.exe	net1.exe
PID 340 wrote to memory of 2780	340	net.exe	net1.exe
PID 340 wrote to memory of 2780	340	net.exe	net1.exe
PID 340 wrote to memory of 2780	340	net.exe	net1.exe
PID 340 wrote to memory of 2780	340	net.exe	net1.exe
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31084	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 960 wrote to memory of 31120	960	92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe	net.exe
PID 31120 wrote to memory of 31236	31120	net.exe	net1.exe
PID 31120 wrote to memory of 31236	31120	net.exe	net1.exe
PID 31120 wrote to memory of 31236	31120	net.exe	net1.exe
PID 31120 wrote to memory of 31236	31120	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe
"C:\Users\Admin\AppData\Local\Temp\92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\yXivCIQ.exe
"C:\Users\Admin\AppData\Local\Temp\yXivCIQ.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2756

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:42752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:42776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2780

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2772

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2764

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:31120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:31236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:31084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:31228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:36704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:36648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:36696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
c335018c1bedd8bd7fed708df1b14c77

SHA1
4b5d6315b7db23996cd975f09aa93b0d16a85b14

SHA256
77efbe7c77e01a2d6de21c45c41bc84d9b67fcb9b35d01a52c58dd04e26efdc8

SHA512
0d013247aa49790a1461a80023a31137cdc05439e49bd15e737f07208133d2ae09dfd86a95498495cf0fea5beba186e2f6d703866027bd54f38c92f2a607234f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXivCIQ.exe
MD5
038fecb750d14f0a31fa83f3f95b7e88

SHA1
b5e793997283f6706d89f3f9f05389bd786c63b4

SHA256
92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d

SHA512
79263ae2f6489382995a9baab87aec46b91665221b6a837b642143587c095d8cf4a6f03c8f8a2883405ba16a750d987c374f88623d83fdd1d3d7467cf77c82ed

Download Submit
\Users\Admin\AppData\Local\Temp\yXivCIQ.exe
MD5
038fecb750d14f0a31fa83f3f95b7e88

SHA1
b5e793997283f6706d89f3f9f05389bd786c63b4

SHA256
92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d

SHA512
79263ae2f6489382995a9baab87aec46b91665221b6a837b642143587c095d8cf4a6f03c8f8a2883405ba16a750d987c374f88623d83fdd1d3d7467cf77c82ed

Download Submit
\Users\Admin\AppData\Local\Temp\yXivCIQ.exe
MD5
038fecb750d14f0a31fa83f3f95b7e88

SHA1
b5e793997283f6706d89f3f9f05389bd786c63b4

SHA256
92815ba6471287eb405fe74ee85ed000821d4d6f8c9a0154b289be8b2e7c7e5d

SHA512
79263ae2f6489382995a9baab87aec46b91665221b6a837b642143587c095d8cf4a6f03c8f8a2883405ba16a750d987c374f88623d83fdd1d3d7467cf77c82ed

Download Submit
memory/960-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/1456-62-0x000000000E140000-0x000000000EBFA000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads