ryuk | 3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689

Analysis

max time kernel
182s
max time network
101s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
Size

191KB
MD5

aa8d5eec0c68de288fdd55a128e77e95
SHA1

496e01324adba5e4db50cb723cc0f4593dfdf6b3
SHA256

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689
SHA512

86700f73ac9da32ff9c5e6ea249ff0dd362a11ca3fd5dd4730c3cc5ccbdc2893a288e4ad26c89dd30e33e841c43cd4cb55ee989efa9e2ecad947ab1a198a7fe2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1636	iWrgMWM.exe

Loads dropped DLL 2 IoCs

pid	Process
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
1636	iWrgMWM.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
1636	iWrgMWM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
Token: SeBackupPrivilege	1636	iWrgMWM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	27
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	27
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	27
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	27
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	28
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	28
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	28
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	28
PID 764 wrote to memory of 1496	764	net.exe	30
PID 764 wrote to memory of 1496	764	net.exe	30
PID 764 wrote to memory of 1496	764	net.exe	30
PID 764 wrote to memory of 1496	764	net.exe	30
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	31
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	31
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	31
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	31
PID 1488 wrote to memory of 516	1488	net.exe	33
PID 1488 wrote to memory of 516	1488	net.exe	33
PID 1488 wrote to memory of 516	1488	net.exe	33
PID 1488 wrote to memory of 516	1488	net.exe	33
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	34
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	34
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	34
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	34
PID 1980 wrote to memory of 2100	1980	net.exe	36
PID 1980 wrote to memory of 2100	1980	net.exe	36
PID 1980 wrote to memory of 2100	1980	net.exe	36
PID 1980 wrote to memory of 2100	1980	net.exe	36
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	37
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	37
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	37
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	37
PID 2168 wrote to memory of 2616	2168	net.exe	39
PID 2168 wrote to memory of 2616	2168	net.exe	39
PID 2168 wrote to memory of 2616	2168	net.exe	39
PID 2168 wrote to memory of 2616	2168	net.exe	39
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	42
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	42
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	42
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	42
PID 7752 wrote to memory of 7776	7752	net.exe	44
PID 7752 wrote to memory of 7776	7752	net.exe	44
PID 7752 wrote to memory of 7776	7752	net.exe	44
PID 7752 wrote to memory of 7776	7752	net.exe	44
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	47
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	47
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	47
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	47
PID 22240 wrote to memory of 23248	22240	net.exe	48
PID 22240 wrote to memory of 23248	22240	net.exe	48
PID 22240 wrote to memory of 23248	22240	net.exe	48
PID 22240 wrote to memory of 23248	22240	net.exe	48
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	49
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	49
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	49
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	49
PID 24192 wrote to memory of 24216	24192	net.exe	51
PID 24192 wrote to memory of 24216	24192	net.exe	51
PID 24192 wrote to memory of 24216	24192	net.exe	51
PID 24192 wrote to memory of 24216	24192	net.exe	51
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	52
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	52
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	52
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	52

C:\Users\Admin\AppData\Local\Temp\3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
"C:\Users\Admin\AppData\Local\Temp\3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\iWrgMWM.exe
  "C:\Users\Admin\AppData\Local\Temp\iWrgMWM.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:7752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:7776
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:45236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:45276
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2100
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:22240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:23248
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:24192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:24216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download