ryuk | 8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c

General

Target

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
Size

188KB
MD5

63a46709a4e2eee46c3f9d2ff65a2c88
SHA1

f2cacaabcea399c95c6ee8bdfdf5b8ee6d7644b6
SHA256

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c
SHA512

2396c89a15b2e87952641dff7aa8644b6b70543697d3fbe4ec945e47028277c783661794ea0eef63ab985765a66b47464b51154fdff7b6ac44ffa33899308441

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

sHXvLJn.exe

pid process

1096 sHXvLJn.exe

pid	process
1096	sHXvLJn.exe

Loads dropped DLL 2 IoCs

Processes:

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe

pid	process
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exesHXvLJn.exe

pid	process
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1096	sHXvLJn.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1096	sHXvLJn.exe
1096	sHXvLJn.exe
1096	sHXvLJn.exe
1096	sHXvLJn.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
1096	sHXvLJn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exesHXvLJn.exe

description	pid	process
Token: SeBackupPrivilege	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
Token: SeBackupPrivilege	1096	sHXvLJn.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exenet.exenet.exenet.exenet.exesHXvLJn.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	sHXvLJn.exe
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	sHXvLJn.exe
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	sHXvLJn.exe
PID 1760 wrote to memory of 1096	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	sHXvLJn.exe
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 472	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 472 wrote to memory of 272	472	net.exe	net1.exe
PID 472 wrote to memory of 272	472	net.exe	net1.exe
PID 472 wrote to memory of 272	472	net.exe	net1.exe
PID 472 wrote to memory of 272	472	net.exe	net1.exe
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 580	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 580 wrote to memory of 1492	580	net.exe	net1.exe
PID 580 wrote to memory of 1492	580	net.exe	net1.exe
PID 580 wrote to memory of 1492	580	net.exe	net1.exe
PID 580 wrote to memory of 1492	580	net.exe	net1.exe
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 1980	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1980 wrote to memory of 1052	1980	net.exe	net1.exe
PID 1980 wrote to memory of 1052	1980	net.exe	net1.exe
PID 1980 wrote to memory of 1052	1980	net.exe	net1.exe
PID 1980 wrote to memory of 1052	1980	net.exe	net1.exe
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 868	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 868 wrote to memory of 904	868	net.exe	net1.exe
PID 868 wrote to memory of 904	868	net.exe	net1.exe
PID 868 wrote to memory of 904	868	net.exe	net1.exe
PID 868 wrote to memory of 904	868	net.exe	net1.exe
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	net.exe
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	net.exe
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	net.exe
PID 1096 wrote to memory of 2176	1096	sHXvLJn.exe	net.exe
PID 2176 wrote to memory of 2200	2176	net.exe	net1.exe
PID 2176 wrote to memory of 2200	2176	net.exe	net1.exe
PID 2176 wrote to memory of 2200	2176	net.exe	net1.exe
PID 2176 wrote to memory of 2200	2176	net.exe	net1.exe
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 15236	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 15236 wrote to memory of 14800	15236	net.exe	net1.exe
PID 15236 wrote to memory of 14800	15236	net.exe	net1.exe
PID 15236 wrote to memory of 14800	15236	net.exe	net1.exe
PID 15236 wrote to memory of 14800	15236	net.exe	net1.exe
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 1760 wrote to memory of 14940	1760	8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe	net.exe
PID 14940 wrote to memory of 15304	14940	net.exe	net1.exe
PID 14940 wrote to memory of 15304	14940	net.exe	net1.exe
PID 14940 wrote to memory of 15304	14940	net.exe	net1.exe
PID 14940 wrote to memory of 15304	14940	net.exe	net1.exe
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	net.exe
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	net.exe
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	net.exe
PID 1096 wrote to memory of 18228	1096	sHXvLJn.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe
"C:\Users\Admin\AppData\Local\Temp\8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\sHXvLJn.exe
"C:\Users\Admin\AppData\Local\Temp\sHXvLJn.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2200

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:18228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:18264

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:34720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:34748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1052

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:15236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:14800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:14940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:34640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:34668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:34684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:34708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
69dd6148dbda781570a1337e961aab73

SHA1
b789e127b2cda91a5fec54543062beedd670ef28

SHA256
3e8ae3db133c960b104130e99a7d49895380be8e87170adecc998b9323b719e8

SHA512
17ce7f8520897755f57800483e7a89b623252434cb00daddac08c07f4c40de30188a71143fea2f530c9391083ec9ff55f3c193d1cc2f510d7a17221bec8a0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\sHXvLJn.exe
MD5
63a46709a4e2eee46c3f9d2ff65a2c88

SHA1
f2cacaabcea399c95c6ee8bdfdf5b8ee6d7644b6

SHA256
8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c

SHA512
2396c89a15b2e87952641dff7aa8644b6b70543697d3fbe4ec945e47028277c783661794ea0eef63ab985765a66b47464b51154fdff7b6ac44ffa33899308441

Download Submit
\Users\Admin\AppData\Local\Temp\sHXvLJn.exe
MD5
63a46709a4e2eee46c3f9d2ff65a2c88

SHA1
f2cacaabcea399c95c6ee8bdfdf5b8ee6d7644b6

SHA256
8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c

SHA512
2396c89a15b2e87952641dff7aa8644b6b70543697d3fbe4ec945e47028277c783661794ea0eef63ab985765a66b47464b51154fdff7b6ac44ffa33899308441

Download Submit
\Users\Admin\AppData\Local\Temp\sHXvLJn.exe
MD5
63a46709a4e2eee46c3f9d2ff65a2c88

SHA1
f2cacaabcea399c95c6ee8bdfdf5b8ee6d7644b6

SHA256
8ec0c670fa446d9f59372fccb1ad2438a7b8ecac9f91ac2fc6483557c854d93c

SHA512
2396c89a15b2e87952641dff7aa8644b6b70543697d3fbe4ec945e47028277c783661794ea0eef63ab985765a66b47464b51154fdff7b6ac44ffa33899308441

Download Submit
memory/1760-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads