ryuk | 827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa

General

Target

827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
Size

189KB
MD5

22d2811ba73d9f43086700fe22991c81
SHA1

6a7efe4137e953c74de48f3c32019c5a70c644dd
SHA256

827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa
SHA512

fed438621fec75371a46b28011ca8f36cc17ed12a6b6f9e077bb8f460f8bda5419dad2e6f64fc464d7e3ffcfe0a7e2b9e64e5e01778130d6bbbe1d71510e30e5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

bEgyOcB.exe

pid process

1868 bEgyOcB.exe

pid	process
1868	bEgyOcB.exe

Loads dropped DLL 2 IoCs

Processes:

827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe

pid	process
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exebEgyOcB.exe

pid	process
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1868	bEgyOcB.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
1868	bEgyOcB.exe
1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exebEgyOcB.exe

description	pid	process
Token: SeBackupPrivilege	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
Token: SeBackupPrivilege	1868	bEgyOcB.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exebEgyOcB.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1632 wrote to memory of 1868	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	bEgyOcB.exe
PID 1632 wrote to memory of 1868	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	bEgyOcB.exe
PID 1632 wrote to memory of 1868	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	bEgyOcB.exe
PID 1632 wrote to memory of 1868	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	bEgyOcB.exe
PID 1868 wrote to memory of 1904	1868	bEgyOcB.exe	net.exe
PID 1868 wrote to memory of 1904	1868	bEgyOcB.exe	net.exe
PID 1868 wrote to memory of 1904	1868	bEgyOcB.exe	net.exe
PID 1868 wrote to memory of 1904	1868	bEgyOcB.exe	net.exe
PID 1632 wrote to memory of 1932	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1932	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1932	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1932	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1964	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1964	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1964	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 1964	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1868 wrote to memory of 2088	1868	bEgyOcB.exe	net.exe
PID 1868 wrote to memory of 2088	1868	bEgyOcB.exe	net.exe
PID 1868 wrote to memory of 2088	1868	bEgyOcB.exe	net.exe
PID 1868 wrote to memory of 2088	1868	bEgyOcB.exe	net.exe
PID 1632 wrote to memory of 2080	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2080	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2080	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2080	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2168	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2168	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2168	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 2168	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 2088 wrote to memory of 2228	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2228	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2228	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2228	2088	net.exe	net1.exe
PID 2168 wrote to memory of 2220	2168	net.exe	net1.exe
PID 2168 wrote to memory of 2220	2168	net.exe	net1.exe
PID 2168 wrote to memory of 2220	2168	net.exe	net1.exe
PID 2168 wrote to memory of 2220	2168	net.exe	net1.exe
PID 1932 wrote to memory of 2244	1932	net.exe	net1.exe
PID 1932 wrote to memory of 2244	1932	net.exe	net1.exe
PID 1932 wrote to memory of 2244	1932	net.exe	net1.exe
PID 2080 wrote to memory of 2260	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2260	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2260	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2260	2080	net.exe	net1.exe
PID 1932 wrote to memory of 2244	1932	net.exe	net1.exe
PID 1964 wrote to memory of 2236	1964	net.exe	net1.exe
PID 1964 wrote to memory of 2236	1964	net.exe	net1.exe
PID 1964 wrote to memory of 2236	1964	net.exe	net1.exe
PID 1964 wrote to memory of 2236	1964	net.exe	net1.exe
PID 1904 wrote to memory of 2252	1904	net.exe	net1.exe
PID 1904 wrote to memory of 2252	1904	net.exe	net1.exe
PID 1904 wrote to memory of 2252	1904	net.exe	net1.exe
PID 1904 wrote to memory of 2252	1904	net.exe	net1.exe
PID 1632 wrote to memory of 30136	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 30136	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 30136	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 30136	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 30136 wrote to memory of 30456	30136	net.exe	net1.exe
PID 30136 wrote to memory of 30456	30136	net.exe	net1.exe
PID 30136 wrote to memory of 30456	30136	net.exe	net1.exe
PID 30136 wrote to memory of 30456	30136	net.exe	net1.exe
PID 1632 wrote to memory of 31360	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 31360	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 31360	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe
PID 1632 wrote to memory of 31360	1632	827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe
"C:\Users\Admin\AppData\Local\Temp\827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\bEgyOcB.exe
"C:\Users\Admin\AppData\Local\Temp\bEgyOcB.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:2252

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:2228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:35732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:35800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2260

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2220

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:30136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:30456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:31360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:31644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:35692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:35760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:468

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
1e38db95f70ce0d548e3423a7f5d37a3

SHA1
e5e2772bf1ee4b1a4d76b94cddb7b94db5487b95

SHA256
48eb92a54f31cec1eaf8adb64d3ced024ad7fc7d057dc0e646c40c05fb020e62

SHA512
2d7c6c0d4d007715336e8685b47dee1113979dfa44e41bef85225bbe8a618b0db0aca606daa6276d4f28c59b3549b82780c380361d3c123d23f96a82d00d3cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bEgyOcB.exe

MD5
22d2811ba73d9f43086700fe22991c81

SHA1
6a7efe4137e953c74de48f3c32019c5a70c644dd

SHA256
827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa

SHA512
fed438621fec75371a46b28011ca8f36cc17ed12a6b6f9e077bb8f460f8bda5419dad2e6f64fc464d7e3ffcfe0a7e2b9e64e5e01778130d6bbbe1d71510e30e5

Download Submit
\Users\Admin\AppData\Local\Temp\bEgyOcB.exe

MD5
22d2811ba73d9f43086700fe22991c81

SHA1
6a7efe4137e953c74de48f3c32019c5a70c644dd

SHA256
827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa

SHA512
fed438621fec75371a46b28011ca8f36cc17ed12a6b6f9e077bb8f460f8bda5419dad2e6f64fc464d7e3ffcfe0a7e2b9e64e5e01778130d6bbbe1d71510e30e5

Download Submit
\Users\Admin\AppData\Local\Temp\bEgyOcB.exe

MD5
22d2811ba73d9f43086700fe22991c81

SHA1
6a7efe4137e953c74de48f3c32019c5a70c644dd

SHA256
827b7e7ec7ca366fc31f3899a98339dfb4333073f197a5aa6755c8c09505bdfa

SHA512
fed438621fec75371a46b28011ca8f36cc17ed12a6b6f9e077bb8f460f8bda5419dad2e6f64fc464d7e3ffcfe0a7e2b9e64e5e01778130d6bbbe1d71510e30e5

Download Submit
memory/1632-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads