ryuk | 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841

General

Target

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
Size

171KB
MD5

d92a64dce52edbbf70f9a5ebd25600be
SHA1

7e0a7323d4ba0454e6d54c4746dbac8373af9d0d
SHA256

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841
SHA512

a629f2c4e38b4ee3a357f24da3f5e5310081bb46617f5e67a634e6308ce946860701879a114852eb2dc30d7d5696bcf01df9715cd3f689c2b19f879701600471

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 3 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
File opened for modification	C:\Documents and Settings\Admin\3D Objects\desktop.ini	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

pid	process
3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

description	pid	process
Token: SeDebugPrivilege	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
Token: SeBackupPrivilege	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

description	pid	process	target process
PID 3024 wrote to memory of 2172	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	sihost.exe
PID 3024 wrote to memory of 2192	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	svchost.exe
PID 3024 wrote to memory of 2240	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	taskhostw.exe
PID 3024 wrote to memory of 2548	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	svchost.exe
PID 3024 wrote to memory of 2736	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	DllHost.exe
PID 3024 wrote to memory of 2832	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	StartMenuExperienceHost.exe
PID 3024 wrote to memory of 2896	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	RuntimeBroker.exe
PID 3024 wrote to memory of 2976	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	SearchApp.exe
PID 3024 wrote to memory of 2868	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	RuntimeBroker.exe
PID 3024 wrote to memory of 3392	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	RuntimeBroker.exe
PID 3024 wrote to memory of 1500	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	RuntimeBroker.exe
PID 3024 wrote to memory of 3960	3024	7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe	BackgroundTransferHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2172

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
"C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3960

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
PID:4320

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads