ryuk | 57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14

Analysis

max time kernel
169s
max time network
150s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
Size

171KB
MD5

643edd16a075087e1f52c90520191966
SHA1

e40f903c67de534bc0a3b0ca7bd86eed321381e6
SHA256

57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14
SHA512

48a05089ef89cf4509a656b30045e8bd200366d09ffcd15ab92e9b1e3ee5d9395f471370670cd2eeec6dda65897f1576e4ccd9cee5bc674e85d55df47258e5a6

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
Token: SeBackupPrivilege	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 1220	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	13
PID 268 wrote to memory of 1312	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	12
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	27
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	27
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	27
PID 268 wrote to memory of 2080	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	27
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	28
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	28
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	28
PID 268 wrote to memory of 2088	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	28
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	31
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	31
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	31
PID 268 wrote to memory of 2192	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	31
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	33
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	33
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	33
PID 268 wrote to memory of 2216	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	33
PID 2216 wrote to memory of 2684	2216	net.exe	36
PID 2216 wrote to memory of 2684	2216	net.exe	36
PID 2216 wrote to memory of 2684	2216	net.exe	36
PID 2216 wrote to memory of 2684	2216	net.exe	36
PID 2080 wrote to memory of 2676	2080	net.exe	37
PID 2080 wrote to memory of 2676	2080	net.exe	37
PID 2080 wrote to memory of 2676	2080	net.exe	37
PID 2080 wrote to memory of 2676	2080	net.exe	37
PID 2088 wrote to memory of 2692	2088	net.exe	38
PID 2088 wrote to memory of 2692	2088	net.exe	38
PID 2088 wrote to memory of 2692	2088	net.exe	38
PID 2088 wrote to memory of 2692	2088	net.exe	38
PID 2192 wrote to memory of 2700	2192	net.exe	39
PID 2192 wrote to memory of 2700	2192	net.exe	39
PID 2192 wrote to memory of 2700	2192	net.exe	39
PID 2192 wrote to memory of 2700	2192	net.exe	39
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	41
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	41
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	41
PID 268 wrote to memory of 6688	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	41
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	43
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	43
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	43
PID 268 wrote to memory of 6712	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	43
PID 6688 wrote to memory of 6740	6688	net.exe	45
PID 6688 wrote to memory of 6740	6688	net.exe	45
PID 6688 wrote to memory of 6740	6688	net.exe	45
PID 6688 wrote to memory of 6740	6688	net.exe	45
PID 6712 wrote to memory of 6748	6712	net.exe	46
PID 6712 wrote to memory of 6748	6712	net.exe	46
PID 6712 wrote to memory of 6748	6712	net.exe	46
PID 6712 wrote to memory of 6748	6712	net.exe	46
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	47
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	47
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	47
PID 268 wrote to memory of 8612	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	47
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	48
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	48
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	48
PID 268 wrote to memory of 8620	268	57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe	48
PID 8620 wrote to memory of 8660	8620	net.exe	51
PID 8620 wrote to memory of 8660	8620	net.exe	51
PID 8620 wrote to memory of 8660	8620	net.exe	51
PID 8620 wrote to memory of 8660	8620	net.exe	51
PID 8612 wrote to memory of 8668	8612	net.exe	52
PID 8612 wrote to memory of 8668	8612	net.exe	52

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe
"C:\Users\Admin\AppData\Local\Temp\57ae2c58e9a78ce3021c7ed801b3e7f0eada5eeb070c519f573ff9d8bb09ca14.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2676
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2684
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1220-56-0x0000000030000000-0x00000000302D2000-memory.dmp

Filesize
2.8MB

Download