ryuk | 5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d

Analysis

max time kernel
174s
max time network
81s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
Size

188KB
MD5

24d05101e5fc0a61d6aaf9b801c0ba39
SHA1

0004b680e9798329923128dfe731f0d2c181e7b6
SHA256

5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d
SHA512

52bf57c082891c872418cace41a5a43ed7adf856c6ac8f56a9e762cb603e67f0396c6537ad22d835d8b6a3c086a934d6b773a0c3dfc14ba050f7008bc483c765

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
584	vxVYvcM.exe

Loads dropped DLL 5 IoCs

pid	Process
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
26180	WerFault.exe
26180	WerFault.exe
26180	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
26180	584	WerFault.exe	27

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
584	vxVYvcM.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
584	vxVYvcM.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
Token: SeBackupPrivilege	584	vxVYvcM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 584	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	27
PID 1896 wrote to memory of 584	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	27
PID 1896 wrote to memory of 584	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	27
PID 1896 wrote to memory of 584	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	27
PID 1896 wrote to memory of 768	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	28
PID 1896 wrote to memory of 768	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	28
PID 1896 wrote to memory of 768	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	28
PID 1896 wrote to memory of 768	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	28
PID 768 wrote to memory of 1368	768	net.exe	30
PID 768 wrote to memory of 1368	768	net.exe	30
PID 768 wrote to memory of 1368	768	net.exe	30
PID 768 wrote to memory of 1368	768	net.exe	30
PID 1896 wrote to memory of 304	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	31
PID 1896 wrote to memory of 304	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	31
PID 1896 wrote to memory of 304	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	31
PID 1896 wrote to memory of 304	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	31
PID 304 wrote to memory of 1088	304	net.exe	33
PID 304 wrote to memory of 1088	304	net.exe	33
PID 304 wrote to memory of 1088	304	net.exe	33
PID 304 wrote to memory of 1088	304	net.exe	33
PID 1896 wrote to memory of 980	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	34
PID 1896 wrote to memory of 980	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	34
PID 1896 wrote to memory of 980	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	34
PID 1896 wrote to memory of 980	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	34
PID 980 wrote to memory of 1972	980	net.exe	36
PID 980 wrote to memory of 1972	980	net.exe	36
PID 980 wrote to memory of 1972	980	net.exe	36
PID 980 wrote to memory of 1972	980	net.exe	36
PID 1896 wrote to memory of 1280	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	37
PID 1896 wrote to memory of 1280	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	37
PID 1896 wrote to memory of 1280	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	37
PID 1896 wrote to memory of 1280	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	37
PID 1280 wrote to memory of 1564	1280	net.exe	39
PID 1280 wrote to memory of 1564	1280	net.exe	39
PID 1280 wrote to memory of 1564	1280	net.exe	39
PID 1280 wrote to memory of 1564	1280	net.exe	39
PID 584 wrote to memory of 1584	584	vxVYvcM.exe	40
PID 584 wrote to memory of 1584	584	vxVYvcM.exe	40
PID 584 wrote to memory of 1584	584	vxVYvcM.exe	40
PID 584 wrote to memory of 1584	584	vxVYvcM.exe	40
PID 1584 wrote to memory of 836	1584	net.exe	43
PID 1584 wrote to memory of 836	1584	net.exe	43
PID 1584 wrote to memory of 836	1584	net.exe	43
PID 1584 wrote to memory of 836	1584	net.exe	43
PID 584 wrote to memory of 1704	584	vxVYvcM.exe	45
PID 584 wrote to memory of 1704	584	vxVYvcM.exe	45
PID 584 wrote to memory of 1704	584	vxVYvcM.exe	45
PID 584 wrote to memory of 1704	584	vxVYvcM.exe	45
PID 1704 wrote to memory of 1368	1704	net.exe	47
PID 1704 wrote to memory of 1368	1704	net.exe	47
PID 1704 wrote to memory of 1368	1704	net.exe	47
PID 1704 wrote to memory of 1368	1704	net.exe	47
PID 1896 wrote to memory of 17396	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	49
PID 1896 wrote to memory of 17396	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	49
PID 1896 wrote to memory of 17396	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	49
PID 1896 wrote to memory of 17396	1896	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	49
PID 17396 wrote to memory of 17384	17396	net.exe	50
PID 17396 wrote to memory of 17384	17396	net.exe	50
PID 17396 wrote to memory of 17384	17396	net.exe	50
PID 17396 wrote to memory of 17384	17396	net.exe	50
PID 584 wrote to memory of 26180	584	vxVYvcM.exe	52
PID 584 wrote to memory of 26180	584	vxVYvcM.exe	52
PID 584 wrote to memory of 26180	584	vxVYvcM.exe	52
PID 584 wrote to memory of 26180	584	vxVYvcM.exe	52

C:\Users\Admin\AppData\Local\Temp\5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
"C:\Users\Admin\AppData\Local\Temp\5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\vxVYvcM.exe
  "C:\Users\Admin\AppData\Local\Temp\vxVYvcM.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:836
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 8708
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:26180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1368
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1972
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:17396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:17384
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:26192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:26216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:26308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:26332
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:26376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:26400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-63-0x000000001B5B0000-0x000000001B5C4000-memory.dmp

Filesize
80KB

Download
memory/584-66-0x000000001B750000-0x000000001B75B000-memory.dmp

Filesize
44KB

Download
memory/584-67-0x000000001B770000-0x000000001B789000-memory.dmp

Filesize
100KB

Download
memory/584-65-0x000000001B740000-0x000000001B74F000-memory.dmp

Filesize
60KB

Download
memory/584-64-0x000000001B710000-0x000000001B727000-memory.dmp

Filesize
92KB

Download
memory/584-62-0x000000001B580000-0x000000001B5A9000-memory.dmp

Filesize
164KB

Download
memory/1896-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download