ryuk | 8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c

Analysis

max time kernel
169s
max time network
84s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
Size

188KB
MD5

63a46709a4e2eee46c3f9d2ff65a2c88
SHA1

f2cacaabcea399c95c6ee8bdfdf5b8ee6d7644b6
SHA256

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c
SHA512

2396c89a15b2e87952641dff7aa8644b6b70543697d3fbe4ec945e47028277c783661794ea0eef63ab985765a66b47464b51154fdff7b6ac44ffa33899308441

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1096	sHXvLJn.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1096	sHXvLJn.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1096	sHXvLJn.exe
1096	sHXvLJn.exe
1096	sHXvLJn.exe
1096	sHXvLJn.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1096	sHXvLJn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
Token: SeBackupPrivilege	1096	sHXvLJn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	27
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	27
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	27
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	27
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	28
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	28
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	28
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	28
PID 472 wrote to memory of 272	472	net.exe	30
PID 472 wrote to memory of 272	472	net.exe	30
PID 472 wrote to memory of 272	472	net.exe	30
PID 472 wrote to memory of 272	472	net.exe	30
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	31
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	31
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	31
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	31
PID 580 wrote to memory of 1492	580	net.exe	33
PID 580 wrote to memory of 1492	580	net.exe	33
PID 580 wrote to memory of 1492	580	net.exe	33
PID 580 wrote to memory of 1492	580	net.exe	33
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	34
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	34
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	34
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	34
PID 1980 wrote to memory of 1052	1980	net.exe	36
PID 1980 wrote to memory of 1052	1980	net.exe	36
PID 1980 wrote to memory of 1052	1980	net.exe	36
PID 1980 wrote to memory of 1052	1980	net.exe	36
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	37
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	37
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	37
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	37
PID 868 wrote to memory of 904	868	net.exe	39
PID 868 wrote to memory of 904	868	net.exe	39
PID 868 wrote to memory of 904	868	net.exe	39
PID 868 wrote to memory of 904	868	net.exe	39
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	40
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	40
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	40
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	40
PID 2176 wrote to memory of 2200	2176	net.exe	42
PID 2176 wrote to memory of 2200	2176	net.exe	42
PID 2176 wrote to memory of 2200	2176	net.exe	42
PID 2176 wrote to memory of 2200	2176	net.exe	42
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	45
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	45
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	45
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	45
PID 15236 wrote to memory of 14800	15236	net.exe	47
PID 15236 wrote to memory of 14800	15236	net.exe	47
PID 15236 wrote to memory of 14800	15236	net.exe	47
PID 15236 wrote to memory of 14800	15236	net.exe	47
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	48
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	48
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	48
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	48
PID 14940 wrote to memory of 15304	14940	net.exe	50
PID 14940 wrote to memory of 15304	14940	net.exe	50
PID 14940 wrote to memory of 15304	14940	net.exe	50
PID 14940 wrote to memory of 15304	14940	net.exe	50
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	51
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	51
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	51
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	51

C:\Users\Admin\AppData\Local\Temp\8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
"C:\Users\Admin\AppData\Local\Temp\8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\sHXvLJn.exe
  "C:\Users\Admin\AppData\Local\Temp\sHXvLJn.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:18228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:18264
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:34720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:34748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1492
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:904
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15236
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:14800
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:14940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15304
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:34640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:34684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:34708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download