ryuk | 6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096

Analysis

max time kernel
181s
max time network
142s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
Size

186KB
MD5

d0020f73e4567c9a96b92c78419ed215
SHA1

10766dfbedd4ffba1c23bad0d83324bd04d2700a
SHA256

6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096
SHA512

fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

NUTazZa.exe

pid process

540 NUTazZa.exe

pid	process
540	NUTazZa.exe

Loads dropped DLL 2 IoCs

Processes:

6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe

pid	process
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exeNUTazZa.exe

pid	process
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
540	NUTazZa.exe
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
540	NUTazZa.exe
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
540	NUTazZa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exeNUTazZa.exe

description	pid	process
Token: SeBackupPrivilege	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
Token: SeBackupPrivilege	540	NUTazZa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exenet.exenet.exenet.exenet.exeNUTazZa.exenet.exenet.exenet.exe

description	pid	process	target process
PID 960 wrote to memory of 540	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	NUTazZa.exe
PID 960 wrote to memory of 540	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	NUTazZa.exe
PID 960 wrote to memory of 540	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	NUTazZa.exe
PID 960 wrote to memory of 540	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	NUTazZa.exe
PID 960 wrote to memory of 464	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 464	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 464	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 464	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 464 wrote to memory of 536	464	net.exe	net1.exe
PID 464 wrote to memory of 536	464	net.exe	net1.exe
PID 464 wrote to memory of 536	464	net.exe	net1.exe
PID 464 wrote to memory of 536	464	net.exe	net1.exe
PID 960 wrote to memory of 1428	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1428	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1428	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1428	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 1428 wrote to memory of 1988	1428	net.exe	net1.exe
PID 1428 wrote to memory of 1988	1428	net.exe	net1.exe
PID 1428 wrote to memory of 1988	1428	net.exe	net1.exe
PID 1428 wrote to memory of 1988	1428	net.exe	net1.exe
PID 960 wrote to memory of 1124	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1124	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1124	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1124	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 1124 wrote to memory of 1488	1124	net.exe	net1.exe
PID 1124 wrote to memory of 1488	1124	net.exe	net1.exe
PID 1124 wrote to memory of 1488	1124	net.exe	net1.exe
PID 1124 wrote to memory of 1488	1124	net.exe	net1.exe
PID 960 wrote to memory of 1620	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1620	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1620	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 1620	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 1620 wrote to memory of 2092	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2092	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2092	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2092	1620	net.exe	net1.exe
PID 540 wrote to memory of 8464	540	NUTazZa.exe	net.exe
PID 540 wrote to memory of 8464	540	NUTazZa.exe	net.exe
PID 540 wrote to memory of 8464	540	NUTazZa.exe	net.exe
PID 540 wrote to memory of 8464	540	NUTazZa.exe	net.exe
PID 8464 wrote to memory of 8488	8464	net.exe	net1.exe
PID 8464 wrote to memory of 8488	8464	net.exe	net1.exe
PID 8464 wrote to memory of 8488	8464	net.exe	net1.exe
PID 8464 wrote to memory of 8488	8464	net.exe	net1.exe
PID 960 wrote to memory of 16792	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16792	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16792	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16792	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16800	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16800	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16800	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 960 wrote to memory of 16800	960	6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe	net.exe
PID 16800 wrote to memory of 16844	16800	net.exe	net1.exe
PID 16800 wrote to memory of 16844	16800	net.exe	net1.exe
PID 16800 wrote to memory of 16844	16800	net.exe	net1.exe
PID 16800 wrote to memory of 16844	16800	net.exe	net1.exe
PID 16792 wrote to memory of 16856	16792	net.exe	net1.exe
PID 16792 wrote to memory of 16856	16792	net.exe	net1.exe
PID 16792 wrote to memory of 16856	16792	net.exe	net1.exe
PID 16792 wrote to memory of 16856	16792	net.exe	net1.exe
PID 540 wrote to memory of 16876	540	NUTazZa.exe	net.exe
PID 540 wrote to memory of 16876	540	NUTazZa.exe	net.exe
PID 540 wrote to memory of 16876	540	NUTazZa.exe	net.exe
PID 540 wrote to memory of 16876	540	NUTazZa.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe
"C:\Users\Admin\AppData\Local\Temp\6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe
  "C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:8488
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:16876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:16904
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:32244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:32388
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:536
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1488
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16844
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:16792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:16856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:32140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:32164
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:32220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:32396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUTazZa.exe

MD5
d0020f73e4567c9a96b92c78419ed215

SHA1
10766dfbedd4ffba1c23bad0d83324bd04d2700a

SHA256
6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096

SHA512
fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
8c33ca1dad936c07e8e48b3e8d0862d5

SHA1
7923dfab163b61fa58a77b27c398baacd73b03ae

SHA256
866a171150877caf5af6011ec36f9dab92d9faae37e15ba58d1054d2fba281cb

SHA512
6604d5328034671a105b569ebb2dc533e5b162e6d291da056a0a376c0d5c82b39a7e1093817ced4c25a3d68f839e1237b17586e26328a87aef648caed651fdfa

Download Submit
\Users\Admin\AppData\Local\Temp\NUTazZa.exe

MD5
d0020f73e4567c9a96b92c78419ed215

SHA1
10766dfbedd4ffba1c23bad0d83324bd04d2700a

SHA256
6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096

SHA512
fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a

Download Submit
\Users\Admin\AppData\Local\Temp\NUTazZa.exe

MD5
d0020f73e4567c9a96b92c78419ed215

SHA1
10766dfbedd4ffba1c23bad0d83324bd04d2700a

SHA256
6e96d221514a919ea0366b4ce51b84fbac21a9da920b5281e4aa27ed2cf3b096

SHA512
fa075796f4192b8249708f0d18b3dadf56874b75a1619e17ae3a3e61ff72eec010e9d53bb69e5627255119a1ade463dd432b8d9a046da74b653c7f5e83238d8a

Download Submit
memory/960-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download