ryuk | 6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20

Analysis

max time kernel
171s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
Size

184KB
MD5

e04ed93986095d0b9def687de63a682b
SHA1

ba09fe2167f7b75d659f0c8723f44b875a23a91b
SHA256

6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20
SHA512

14dab6fe8654b2e2ffb8ddeb39f7cd6b0d9ffff8665eff59f8024f4a0cd56110075550164757d4f8bb25de1902062bf9e89e15057bd2b716d636c244714df420

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2080	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	27
PID 1624 wrote to memory of 2080	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	27
PID 1624 wrote to memory of 2080	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	27
PID 1624 wrote to memory of 2080	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	27
PID 1624 wrote to memory of 2120	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	29
PID 1624 wrote to memory of 2120	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	29
PID 1624 wrote to memory of 2120	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	29
PID 1624 wrote to memory of 2120	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	29
PID 2120 wrote to memory of 2428	2120	net.exe	33
PID 2120 wrote to memory of 2428	2120	net.exe	33
PID 2120 wrote to memory of 2428	2120	net.exe	33
PID 2120 wrote to memory of 2428	2120	net.exe	33
PID 2080 wrote to memory of 2420	2080	net.exe	32
PID 2080 wrote to memory of 2420	2080	net.exe	32
PID 2080 wrote to memory of 2420	2080	net.exe	32
PID 2080 wrote to memory of 2420	2080	net.exe	32
PID 1624 wrote to memory of 8412	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	35
PID 1624 wrote to memory of 8412	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	35
PID 1624 wrote to memory of 8412	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	35
PID 1624 wrote to memory of 8412	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	35
PID 8412 wrote to memory of 8440	8412	net.exe	37
PID 8412 wrote to memory of 8440	8412	net.exe	37
PID 8412 wrote to memory of 8440	8412	net.exe	37
PID 8412 wrote to memory of 8440	8412	net.exe	37
PID 1624 wrote to memory of 8564	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	38
PID 1624 wrote to memory of 8564	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	38
PID 1624 wrote to memory of 8564	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	38
PID 1624 wrote to memory of 8564	1624	6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe	38
PID 8564 wrote to memory of 8588	8564	net.exe	40
PID 8564 wrote to memory of 8588	8564	net.exe	40
PID 8564 wrote to memory of 8588	8564	net.exe	40
PID 8564 wrote to memory of 8588	8564	net.exe	40

C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe
"C:\Users\Admin\AppData\Local\Temp\6bec64452076bf8a5facfaafaaa89d76f6695eb0d71bd24b01b1d697bbf86f20.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2420
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2428
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8440
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download