ryuk | 5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d

Analysis

max time kernel
184s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
Size

188KB
MD5

24d05101e5fc0a61d6aaf9b801c0ba39
SHA1

0004b680e9798329923128dfe731f0d2c181e7b6
SHA256

5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d
SHA512

52bf57c082891c872418cace41a5a43ed7adf856c6ac8f56a9e762cb603e67f0396c6537ad22d835d8b6a3c086a934d6b773a0c3dfc14ba050f7008bc483c765

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1744	OefmaaT.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OefmaaT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1744	OefmaaT.exe
1744	OefmaaT.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1744	OefmaaT.exe
1744	OefmaaT.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
Token: SeBackupPrivilege	1744	OefmaaT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1744	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	83
PID 1728 wrote to memory of 1744	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	83
PID 1728 wrote to memory of 1744	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	83
PID 1728 wrote to memory of 4440	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	84
PID 1728 wrote to memory of 4440	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	84
PID 1728 wrote to memory of 4440	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	84
PID 1728 wrote to memory of 2204	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	86
PID 1728 wrote to memory of 2204	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	86
PID 1728 wrote to memory of 2204	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	86
PID 2204 wrote to memory of 4776	2204	net.exe	89
PID 2204 wrote to memory of 4776	2204	net.exe	89
PID 2204 wrote to memory of 4776	2204	net.exe	89
PID 4440 wrote to memory of 4768	4440	net.exe	88
PID 4440 wrote to memory of 4768	4440	net.exe	88
PID 4440 wrote to memory of 4768	4440	net.exe	88
PID 1728 wrote to memory of 4196	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	90
PID 1728 wrote to memory of 4196	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	90
PID 1728 wrote to memory of 4196	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	90
PID 1728 wrote to memory of 3064	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	92
PID 1728 wrote to memory of 3064	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	92
PID 1728 wrote to memory of 3064	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	92
PID 4196 wrote to memory of 2828	4196	net.exe	94
PID 4196 wrote to memory of 2828	4196	net.exe	94
PID 4196 wrote to memory of 2828	4196	net.exe	94
PID 1744 wrote to memory of 3588	1744	OefmaaT.exe	95
PID 1744 wrote to memory of 3588	1744	OefmaaT.exe	95
PID 1744 wrote to memory of 3588	1744	OefmaaT.exe	95
PID 3064 wrote to memory of 3948	3064	net.exe	97
PID 3064 wrote to memory of 3948	3064	net.exe	97
PID 3064 wrote to memory of 3948	3064	net.exe	97
PID 1744 wrote to memory of 5048	1744	OefmaaT.exe	98
PID 1744 wrote to memory of 5048	1744	OefmaaT.exe	98
PID 1744 wrote to memory of 5048	1744	OefmaaT.exe	98
PID 3588 wrote to memory of 2388	3588	net.exe	100
PID 3588 wrote to memory of 2388	3588	net.exe	100
PID 3588 wrote to memory of 2388	3588	net.exe	100
PID 5048 wrote to memory of 960	5048	net.exe	101
PID 5048 wrote to memory of 960	5048	net.exe	101
PID 5048 wrote to memory of 960	5048	net.exe	101
PID 1728 wrote to memory of 6020	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	104
PID 1728 wrote to memory of 6020	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	104
PID 1728 wrote to memory of 6020	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	104
PID 6020 wrote to memory of 6076	6020	net.exe	106
PID 6020 wrote to memory of 6076	6020	net.exe	106
PID 6020 wrote to memory of 6076	6020	net.exe	106
PID 1728 wrote to memory of 6096	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	107
PID 1728 wrote to memory of 6096	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	107
PID 1728 wrote to memory of 6096	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	107
PID 6096 wrote to memory of 4476	6096	net.exe	109
PID 6096 wrote to memory of 4476	6096	net.exe	109
PID 6096 wrote to memory of 4476	6096	net.exe	109
PID 1744 wrote to memory of 828	1744	OefmaaT.exe	110
PID 1744 wrote to memory of 828	1744	OefmaaT.exe	110
PID 1744 wrote to memory of 828	1744	OefmaaT.exe	110
PID 828 wrote to memory of 4840	828	net.exe	112
PID 828 wrote to memory of 4840	828	net.exe	112
PID 828 wrote to memory of 4840	828	net.exe	112
PID 1728 wrote to memory of 10904	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	114
PID 1728 wrote to memory of 10904	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	114
PID 1728 wrote to memory of 10904	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	114
PID 10904 wrote to memory of 4604	10904	net.exe	116
PID 10904 wrote to memory of 4604	10904	net.exe	116
PID 10904 wrote to memory of 4604	10904	net.exe	116
PID 1728 wrote to memory of 1140	1728	5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe	118

C:\Users\Admin\AppData\Local\Temp\5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe
"C:\Users\Admin\AppData\Local\Temp\5f8b44362df4db2b3552b7afd2ab1a720f7afeb60a9a798132061e83faf1411d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\OefmaaT.exe
  "C:\Users\Admin\AppData\Local\Temp\OefmaaT.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:960
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:4840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4776
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2828
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3948
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6076
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4476
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10904
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads