ryuk | 88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5

Analysis

max time kernel
170s
max time network
144s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
Size

190KB
MD5

e8c26344b4adb62a9a42cf6480c88d05
SHA1

41f926e43e9686382f8c84da42880c47999645fb
SHA256

88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5
SHA512

287c49f05e2a9928c98986130e875af96d2690097ce00780bbd51034a1a5396c56d20e90ca267f8eb79c440d9b2cbf44e0082910807d934c5edad036d6277d2f

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
1256	taskhost.exe
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
1256	taskhost.exe
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
1256	taskhost.exe
1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
Token: SeBackupPrivilege	1256	taskhost.exe
Token: SeBackupPrivilege	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1256	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	12
PID 1484 wrote to memory of 1344	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	18
PID 1484 wrote to memory of 820	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	27
PID 1484 wrote to memory of 820	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	27
PID 1484 wrote to memory of 820	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	27
PID 1484 wrote to memory of 1388	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	29
PID 1484 wrote to memory of 1388	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	29
PID 1484 wrote to memory of 1388	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	29
PID 820 wrote to memory of 784	820	net.exe	32
PID 820 wrote to memory of 784	820	net.exe	32
PID 820 wrote to memory of 784	820	net.exe	32
PID 1388 wrote to memory of 1592	1388	net.exe	31
PID 1388 wrote to memory of 1592	1388	net.exe	31
PID 1388 wrote to memory of 1592	1388	net.exe	31
PID 1256 wrote to memory of 2012	1256	taskhost.exe	34
PID 1256 wrote to memory of 2012	1256	taskhost.exe	34
PID 1256 wrote to memory of 2012	1256	taskhost.exe	34
PID 2012 wrote to memory of 1212	2012	net.exe	35
PID 2012 wrote to memory of 1212	2012	net.exe	35
PID 2012 wrote to memory of 1212	2012	net.exe	35
PID 1256 wrote to memory of 1476	1256	taskhost.exe	36
PID 1256 wrote to memory of 1476	1256	taskhost.exe	36
PID 1256 wrote to memory of 1476	1256	taskhost.exe	36
PID 1476 wrote to memory of 1488	1476	net.exe	38
PID 1476 wrote to memory of 1488	1476	net.exe	38
PID 1476 wrote to memory of 1488	1476	net.exe	38
PID 1484 wrote to memory of 2172	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	39
PID 1484 wrote to memory of 2172	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	39
PID 1484 wrote to memory of 2172	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	39
PID 2172 wrote to memory of 2280	2172	net.exe	41
PID 2172 wrote to memory of 2280	2172	net.exe	41
PID 2172 wrote to memory of 2280	2172	net.exe	41
PID 1484 wrote to memory of 15452	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	44
PID 1484 wrote to memory of 15452	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	44
PID 1484 wrote to memory of 15452	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	44
PID 15452 wrote to memory of 15476	15452	net.exe	46
PID 15452 wrote to memory of 15476	15452	net.exe	46
PID 15452 wrote to memory of 15476	15452	net.exe	46
PID 1256 wrote to memory of 15488	1256	taskhost.exe	47
PID 1256 wrote to memory of 15488	1256	taskhost.exe	47
PID 1256 wrote to memory of 15488	1256	taskhost.exe	47
PID 15488 wrote to memory of 15516	15488	net.exe	49
PID 15488 wrote to memory of 15516	15488	net.exe	49
PID 15488 wrote to memory of 15516	15488	net.exe	49
PID 1484 wrote to memory of 15528	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	50
PID 1484 wrote to memory of 15528	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	50
PID 1484 wrote to memory of 15528	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	50
PID 15528 wrote to memory of 15552	15528	net.exe	52
PID 15528 wrote to memory of 15552	15528	net.exe	52
PID 15528 wrote to memory of 15552	15528	net.exe	52
PID 1484 wrote to memory of 15728	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	53
PID 1484 wrote to memory of 15728	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	53
PID 1484 wrote to memory of 15728	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	53
PID 15728 wrote to memory of 15752	15728	net.exe	55
PID 15728 wrote to memory of 15752	15728	net.exe	55
PID 15728 wrote to memory of 15752	15728	net.exe	55
PID 1256 wrote to memory of 15780	1256	taskhost.exe	56
PID 1256 wrote to memory of 15780	1256	taskhost.exe	56
PID 1256 wrote to memory of 15780	1256	taskhost.exe	56
PID 15780 wrote to memory of 15804	15780	net.exe	58
PID 15780 wrote to memory of 15804	15780	net.exe	58
PID 15780 wrote to memory of 15804	15780	net.exe	58
PID 1484 wrote to memory of 15816	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	59
PID 1484 wrote to memory of 15816	1484	88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe	59

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1212
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1488
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15516
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15804

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe
"C:\Users\Admin\AppData\Local\Temp\88c513a6ec19c8f34fb699d6c2f46549e0a4c3dedd364b91b801757d7bfe4fc5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:784
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1592
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2280
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15476
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15552
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:15728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15752
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:15816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:15840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-58-0x000000013F2F0000-0x000000013F5C5000-memory.dmp

Filesize
2.8MB

Download
memory/1256-55-0x000000013F2F0000-0x000000013F5C5000-memory.dmp

Filesize
2.8MB

Download
memory/1344-59-0x000000013F2F0000-0x000000013F5C5000-memory.dmp

Filesize
2.8MB

Download
memory/1484-56-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download