ryuk | 57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14

General

Target

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
Size

171KB
MD5

643edd16a075087e1f52c90520191966
SHA1

e40f903c67de534bc0a3b0ca7bd86eed321381e6
SHA256

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14
SHA512

48a05089ef89cf4509a656b30045e8bd200366d09ffcd15ab92e9b1e3ee5d9395f471370670cd2eeec6dda65897f1576e4ccd9cee5bc674e85d55df47258e5a6

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> brenda_matthews_1976@protonmail.com <br> josh.carinoso83@protonmail.com </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

brenda_matthews_1976@protonmail.com

josh.carinoso83@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe

pid	process
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe

description	pid	process
Token: SeDebugPrivilege	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
Token: SeBackupPrivilege	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 268 wrote to memory of 1220	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	taskhost.exe
PID 268 wrote to memory of 1312	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	Dwm.exe
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 2216 wrote to memory of 2684	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2684	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2684	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2684	2216	net.exe	net1.exe
PID 2080 wrote to memory of 2676	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2676	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2676	2080	net.exe	net1.exe
PID 2080 wrote to memory of 2676	2080	net.exe	net1.exe
PID 2088 wrote to memory of 2692	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2692	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2692	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2692	2088	net.exe	net1.exe
PID 2192 wrote to memory of 2700	2192	net.exe	net1.exe
PID 2192 wrote to memory of 2700	2192	net.exe	net1.exe
PID 2192 wrote to memory of 2700	2192	net.exe	net1.exe
PID 2192 wrote to memory of 2700	2192	net.exe	net1.exe
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 6688 wrote to memory of 6740	6688	net.exe	net1.exe
PID 6688 wrote to memory of 6740	6688	net.exe	net1.exe
PID 6688 wrote to memory of 6740	6688	net.exe	net1.exe
PID 6688 wrote to memory of 6740	6688	net.exe	net1.exe
PID 6712 wrote to memory of 6748	6712	net.exe	net1.exe
PID 6712 wrote to memory of 6748	6712	net.exe	net1.exe
PID 6712 wrote to memory of 6748	6712	net.exe	net1.exe
PID 6712 wrote to memory of 6748	6712	net.exe	net1.exe
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	net.exe
PID 8620 wrote to memory of 8660	8620	net.exe	net1.exe
PID 8620 wrote to memory of 8660	8620	net.exe	net1.exe
PID 8620 wrote to memory of 8660	8620	net.exe	net1.exe
PID 8620 wrote to memory of 8660	8620	net.exe	net1.exe
PID 8612 wrote to memory of 8668	8612	net.exe	net1.exe
PID 8612 wrote to memory of 8668	8612	net.exe	net1.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
"C:\Users\Admin\AppData\Local\Temp\57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2676

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2692

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2684

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:8620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8660

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1220-56-0x0000000030000000-0x00000000302D2000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads