ryuk | 81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

Analysis

max time kernel
201s
max time network
98s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
Size

192KB
MD5

567cf2eec7a754e6ac98f0f738418caa
SHA1

70a1b782865156a338894e9466f951143927703f
SHA256

81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013
SHA512

867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

ynDiTTz.exe

pid process

1120 ynDiTTz.exe

pid	process
1120	ynDiTTz.exe

Loads dropped DLL 6 IoCs

Processes:

81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exeWerFault.exe

pid	process
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

15488 1120 WerFault.exe ynDiTTz.exe
Runs net.exe

pid	pid_target	process	target process
15488	1120	WerFault.exe	ynDiTTz.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exeynDiTTz.exeWerFault.exe

pid	process
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
1120	ynDiTTz.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
1120	ynDiTTz.exe
1120	ynDiTTz.exe
1120	ynDiTTz.exe
1120	ynDiTTz.exe
1120	ynDiTTz.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
1120	ynDiTTz.exe
672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe
15488	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ynDiTTz.exe81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	1120	ynDiTTz.exe
Token: SeBackupPrivilege	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
Token: SeDebugPrivilege	15488	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exenet.exenet.exeynDiTTz.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 672 wrote to memory of 1120	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	ynDiTTz.exe
PID 672 wrote to memory of 1120	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	ynDiTTz.exe
PID 672 wrote to memory of 1120	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	ynDiTTz.exe
PID 672 wrote to memory of 1120	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	ynDiTTz.exe
PID 672 wrote to memory of 1072	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1072	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1072	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1072	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 1072 wrote to memory of 1864	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1864	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1864	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1864	1072	net.exe	net1.exe
PID 672 wrote to memory of 1056	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1056	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1056	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1056	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 1056 wrote to memory of 1552	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1552	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1552	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1552	1056	net.exe	net1.exe
PID 1120 wrote to memory of 1512	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 1512	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 1512	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 1512	1120	ynDiTTz.exe	net.exe
PID 1512 wrote to memory of 1164	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1164	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1164	1512	net.exe	net1.exe
PID 1512 wrote to memory of 1164	1512	net.exe	net1.exe
PID 1120 wrote to memory of 1860	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 1860	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 1860	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 1860	1120	ynDiTTz.exe	net.exe
PID 672 wrote to memory of 1920	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1920	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1920	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 1920	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 1920 wrote to memory of 1532	1920	net.exe	net1.exe
PID 1920 wrote to memory of 1532	1920	net.exe	net1.exe
PID 1920 wrote to memory of 1532	1920	net.exe	net1.exe
PID 1920 wrote to memory of 1532	1920	net.exe	net1.exe
PID 1860 wrote to memory of 1276	1860	net.exe	net1.exe
PID 1860 wrote to memory of 1276	1860	net.exe	net1.exe
PID 1860 wrote to memory of 1276	1860	net.exe	net1.exe
PID 1860 wrote to memory of 1276	1860	net.exe	net1.exe
PID 672 wrote to memory of 8544	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 8544	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 8544	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 8544	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 8544 wrote to memory of 8568	8544	net.exe	net1.exe
PID 8544 wrote to memory of 8568	8544	net.exe	net1.exe
PID 8544 wrote to memory of 8568	8544	net.exe	net1.exe
PID 8544 wrote to memory of 8568	8544	net.exe	net1.exe
PID 1120 wrote to memory of 12324	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 12324	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 12324	1120	ynDiTTz.exe	net.exe
PID 1120 wrote to memory of 12324	1120	ynDiTTz.exe	net.exe
PID 672 wrote to memory of 13436	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 13436	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 13436	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 672 wrote to memory of 13436	672	81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe	net.exe
PID 12324 wrote to memory of 13912	12324	net.exe	net1.exe
PID 12324 wrote to memory of 13912	12324	net.exe	net1.exe
PID 12324 wrote to memory of 13912	12324	net.exe	net1.exe
PID 12324 wrote to memory of 13912	12324	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe
"C:\Users\Admin\AppData\Local\Temp\81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
"C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:1164

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1276

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:12324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:13912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 12828
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:15488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1552

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:13436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:14152

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:15632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:15692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
be46918f25b1aa58c459770d493a5b68

SHA1
daf0a7ac0dc43646b8da0bdc775e78287820fed5

SHA256
c34a56230ecb6d340795fed9f38c34e43b1faed0770bfa852ae5b1129883dec9

SHA512
89ae71f3058537ee1c67d4a2b1820584fe5c4698df81e6c4f9e62c638cb96e95c9c2424d1bf62b7f42cac5ebb5af507ca70aca66676ae4765864191914473342

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
\Users\Admin\AppData\Local\Temp\ynDiTTz.exe
MD5
567cf2eec7a754e6ac98f0f738418caa

SHA1
70a1b782865156a338894e9466f951143927703f

SHA256
81c4866813a273f4c5e859f241ec28c973c974651a948553c6439bcd0a571013

SHA512
867b233c1a83ec8c46479b30e3dc37f5c306d33ec2804622e43be7cc9f45afa4a2873e4eff72f36353db68a3c12281dd11f2030b36b421fef145aa71136a0b88

Download Submit
memory/672-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1120-62-0x00000000026C0000-0x00000000026D4000-memory.dmp

Filesize
80KB

Download
memory/1120-65-0x0000000002720000-0x000000000272B000-memory.dmp

Filesize
44KB

Download
memory/1120-61-0x0000000002690000-0x00000000026B9000-memory.dmp

Filesize
164KB

Download
memory/15488-71-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download