ryuk | 7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4

Analysis

max time kernel
171s
max time network
158s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
Size

200KB
MD5

f137ba372038184053d680941a2da136
SHA1

0ff2395df05c29dceeb23d6cce12798997b47b96
SHA256

7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4
SHA512

9669b187a8aa8f88954765c1fc1c9ad343bbbbda0455e0e15bd86697c23d7e2a649732498b9bd3fc8a0cdb455f57224c40374155b83031a386daec2ad88f5ab7

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
1100	bpRnFes.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
432	icacls.exe
2248	icacls.exe
2256	icacls.exe
776	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1172	vssadmin.exe
2328	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1100	bpRnFes.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1100	bpRnFes.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
1100	bpRnFes.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
Token: SeBackupPrivilege	1896	vssvc.exe
Token: SeRestorePrivilege	1896	vssvc.exe
Token: SeAuditPrivilege	1896	vssvc.exe
Token: SeBackupPrivilege	1100	bpRnFes.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1100	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	27
PID 1388 wrote to memory of 1100	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	27
PID 1388 wrote to memory of 1100	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	27
PID 1388 wrote to memory of 1100	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	27
PID 1388 wrote to memory of 772	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	28
PID 1388 wrote to memory of 772	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	28
PID 1388 wrote to memory of 772	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	28
PID 1388 wrote to memory of 772	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	28
PID 772 wrote to memory of 1372	772	net.exe	30
PID 772 wrote to memory of 1372	772	net.exe	30
PID 772 wrote to memory of 1372	772	net.exe	30
PID 772 wrote to memory of 1372	772	net.exe	30
PID 1388 wrote to memory of 1556	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	31
PID 1388 wrote to memory of 1556	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	31
PID 1388 wrote to memory of 1556	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	31
PID 1388 wrote to memory of 1556	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	31
PID 1556 wrote to memory of 876	1556	net.exe	33
PID 1556 wrote to memory of 876	1556	net.exe	33
PID 1556 wrote to memory of 876	1556	net.exe	33
PID 1556 wrote to memory of 876	1556	net.exe	33
PID 1388 wrote to memory of 776	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	34
PID 1388 wrote to memory of 776	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	34
PID 1388 wrote to memory of 776	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	34
PID 1388 wrote to memory of 776	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	34
PID 1388 wrote to memory of 432	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	36
PID 1388 wrote to memory of 432	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	36
PID 1388 wrote to memory of 432	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	36
PID 1388 wrote to memory of 432	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	36
PID 1388 wrote to memory of 1316	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	38
PID 1388 wrote to memory of 1316	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	38
PID 1388 wrote to memory of 1316	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	38
PID 1388 wrote to memory of 1316	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	38
PID 1316 wrote to memory of 1172	1316	cmd.exe	40
PID 1316 wrote to memory of 1172	1316	cmd.exe	40
PID 1316 wrote to memory of 1172	1316	cmd.exe	40
PID 1316 wrote to memory of 1172	1316	cmd.exe	40
PID 1388 wrote to memory of 2004	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	42
PID 1388 wrote to memory of 2004	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	42
PID 1388 wrote to memory of 2004	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	42
PID 1388 wrote to memory of 2004	1388	7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe	42
PID 2004 wrote to memory of 1628	2004	net.exe	44
PID 2004 wrote to memory of 1628	2004	net.exe	44
PID 2004 wrote to memory of 1628	2004	net.exe	44
PID 2004 wrote to memory of 1628	2004	net.exe	44
PID 1100 wrote to memory of 2248	1100	bpRnFes.exe	45
PID 1100 wrote to memory of 2248	1100	bpRnFes.exe	45
PID 1100 wrote to memory of 2248	1100	bpRnFes.exe	45
PID 1100 wrote to memory of 2248	1100	bpRnFes.exe	45
PID 1100 wrote to memory of 2256	1100	bpRnFes.exe	47
PID 1100 wrote to memory of 2256	1100	bpRnFes.exe	47
PID 1100 wrote to memory of 2256	1100	bpRnFes.exe	47
PID 1100 wrote to memory of 2256	1100	bpRnFes.exe	47
PID 1100 wrote to memory of 2272	1100	bpRnFes.exe	49
PID 1100 wrote to memory of 2272	1100	bpRnFes.exe	49
PID 1100 wrote to memory of 2272	1100	bpRnFes.exe	49
PID 1100 wrote to memory of 2272	1100	bpRnFes.exe	49
PID 2272 wrote to memory of 2328	2272	cmd.exe	51
PID 2272 wrote to memory of 2328	2272	cmd.exe	51
PID 2272 wrote to memory of 2328	2272	cmd.exe	51
PID 2272 wrote to memory of 2328	2272	cmd.exe	51
PID 1100 wrote to memory of 2412	1100	bpRnFes.exe	53
PID 1100 wrote to memory of 2412	1100	bpRnFes.exe	53
PID 1100 wrote to memory of 2412	1100	bpRnFes.exe	53
PID 1100 wrote to memory of 2412	1100	bpRnFes.exe	53

C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe
"C:\Users\Admin\AppData\Local\Temp\7a7e8077f4096cb5e45597ef6e8e7873a5f13db337383a312cb9e2da374599e4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe
  "C:\Users\Admin\AppData\Local\Temp\bpRnFes.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2248
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2328
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:2412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:21464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:21488
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:31268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:31320
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1372
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:876
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:776
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1172
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:15332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:19092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:19152
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:17384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:21448
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-120-0x000000000E130000-0x000000000EBEA000-memory.dmp

Filesize
10.7MB

Download
memory/1388-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download