ryuk | 9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316

General

Target

9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
Size

121KB
MD5

a846277644734a79f5367050e39508dd
SHA1

cecc43a1fab79846fb2a1790a95ac6a4c5d66579
SHA256

9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316
SHA512

92b9a790e192b68afae0a2b5cfd3d29de41fcb4e5f2724f2f468790afce7b95b7ffe8124784f9d3552b97fdf75ff534723bffefe99ccbb6f8fb789bbd46faf47

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1344	JGJdWfLTDrep.exe
1576	DBbkkVVNNlan.exe
5624	jZZFLUWyalan.exe

Loads dropped DLL 6 IoCs

pid	Process
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
30288	icacls.exe
30296	icacls.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1344	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	29
PID 1792 wrote to memory of 1344	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	29
PID 1792 wrote to memory of 1344	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	29
PID 1792 wrote to memory of 1344	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	29
PID 1792 wrote to memory of 1576	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	30
PID 1792 wrote to memory of 1576	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	30
PID 1792 wrote to memory of 1576	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	30
PID 1792 wrote to memory of 1576	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	30
PID 1792 wrote to memory of 5624	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	31
PID 1792 wrote to memory of 5624	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	31
PID 1792 wrote to memory of 5624	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	31
PID 1792 wrote to memory of 5624	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	31
PID 1792 wrote to memory of 30288	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	32
PID 1792 wrote to memory of 30288	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	32
PID 1792 wrote to memory of 30288	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	32
PID 1792 wrote to memory of 30288	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	32
PID 1792 wrote to memory of 30296	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	33
PID 1792 wrote to memory of 30296	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	33
PID 1792 wrote to memory of 30296	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	33
PID 1792 wrote to memory of 30296	1792	9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe	33

C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe
"C:\Users\Admin\AppData\Local\Temp\9513433ce6dbc871cdcca5cfb9be3c3b3f023331553f5b7bb996b47e1c39c316.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe
  "C:\Users\Admin\AppData\Local\Temp\JGJdWfLTDrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe
  "C:\Users\Admin\AppData\Local\Temp\DBbkkVVNNlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe
  "C:\Users\Admin\AppData\Local\Temp\jZZFLUWyalan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:5624
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:30288
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:30296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1792-83-0x000000000A770000-0x000000000B22A000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing