ryuk | 3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689

Analysis

max time kernel
182s
max time network
101s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
Size

191KB
MD5

aa8d5eec0c68de288fdd55a128e77e95
SHA1

496e01324adba5e4db50cb723cc0f4593dfdf6b3
SHA256

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689
SHA512

86700f73ac9da32ff9c5e6ea249ff0dd362a11ca3fd5dd4730c3cc5ccbdc2893a288e4ad26c89dd30e33e841c43cd4cb55ee989efa9e2ecad947ab1a198a7fe2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

iWrgMWM.exe

pid process

1636 iWrgMWM.exe

pid	process
1636	iWrgMWM.exe

Loads dropped DLL 2 IoCs

Processes:

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe

pid	process
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exeiWrgMWM.exe

pid	process
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
1636	iWrgMWM.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
1636	iWrgMWM.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
1636	iWrgMWM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exeiWrgMWM.exe

description	pid	process
Token: SeBackupPrivilege	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
Token: SeBackupPrivilege	1636	iWrgMWM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exenet.exenet.exenet.exenet.exeiWrgMWM.exenet.exenet.exenet.exe

description	pid	process	target process
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	iWrgMWM.exe
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	iWrgMWM.exe
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	iWrgMWM.exe
PID 804 wrote to memory of 1636	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	iWrgMWM.exe
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 764	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 764 wrote to memory of 1496	764	net.exe	net1.exe
PID 764 wrote to memory of 1496	764	net.exe	net1.exe
PID 764 wrote to memory of 1496	764	net.exe	net1.exe
PID 764 wrote to memory of 1496	764	net.exe	net1.exe
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1488	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 1488 wrote to memory of 516	1488	net.exe	net1.exe
PID 1488 wrote to memory of 516	1488	net.exe	net1.exe
PID 1488 wrote to memory of 516	1488	net.exe	net1.exe
PID 1488 wrote to memory of 516	1488	net.exe	net1.exe
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1980	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 1980 wrote to memory of 2100	1980	net.exe	net1.exe
PID 1980 wrote to memory of 2100	1980	net.exe	net1.exe
PID 1980 wrote to memory of 2100	1980	net.exe	net1.exe
PID 1980 wrote to memory of 2100	1980	net.exe	net1.exe
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 2168	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 2168 wrote to memory of 2616	2168	net.exe	net1.exe
PID 2168 wrote to memory of 2616	2168	net.exe	net1.exe
PID 2168 wrote to memory of 2616	2168	net.exe	net1.exe
PID 2168 wrote to memory of 2616	2168	net.exe	net1.exe
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	net.exe
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	net.exe
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	net.exe
PID 1636 wrote to memory of 7752	1636	iWrgMWM.exe	net.exe
PID 7752 wrote to memory of 7776	7752	net.exe	net1.exe
PID 7752 wrote to memory of 7776	7752	net.exe	net1.exe
PID 7752 wrote to memory of 7776	7752	net.exe	net1.exe
PID 7752 wrote to memory of 7776	7752	net.exe	net1.exe
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 22240	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 22240 wrote to memory of 23248	22240	net.exe	net1.exe
PID 22240 wrote to memory of 23248	22240	net.exe	net1.exe
PID 22240 wrote to memory of 23248	22240	net.exe	net1.exe
PID 22240 wrote to memory of 23248	22240	net.exe	net1.exe
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 24192	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 24192 wrote to memory of 24216	24192	net.exe	net1.exe
PID 24192 wrote to memory of 24216	24192	net.exe	net1.exe
PID 24192 wrote to memory of 24216	24192	net.exe	net1.exe
PID 24192 wrote to memory of 24216	24192	net.exe	net1.exe
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe
PID 804 wrote to memory of 1604	804	3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe
"C:\Users\Admin\AppData\Local\Temp\3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\iWrgMWM.exe
  "C:\Users\Admin\AppData\Local\Temp\iWrgMWM.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:7752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:7776
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:45236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:45276
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2100
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:22240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:23248
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:24192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:24216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1692
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5
c6b39645b1dbfb5cef7ff3a06eb45a5f

SHA1
582fc94349b00e518bbb5c706e7cc8adc75ecab6

SHA256
4962251e42282a3fd2b73dacc827a09cfae86f5474cd14ec59d39ed085b77206

SHA512
21471cd47aae47ca7c391a8fd4fab58824c7cf536ed037c7e88bf3b7d33a3df285c0860e21984234e38dea4021db77f5b3f6b571d4b2892cb4ef6ffc6430c186

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWrgMWM.exe

MD5
aa8d5eec0c68de288fdd55a128e77e95

SHA1
496e01324adba5e4db50cb723cc0f4593dfdf6b3

SHA256
3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689

SHA512
86700f73ac9da32ff9c5e6ea249ff0dd362a11ca3fd5dd4730c3cc5ccbdc2893a288e4ad26c89dd30e33e841c43cd4cb55ee989efa9e2ecad947ab1a198a7fe2

Download Submit
\Users\Admin\AppData\Local\Temp\iWrgMWM.exe

MD5
aa8d5eec0c68de288fdd55a128e77e95

SHA1
496e01324adba5e4db50cb723cc0f4593dfdf6b3

SHA256
3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689

SHA512
86700f73ac9da32ff9c5e6ea249ff0dd362a11ca3fd5dd4730c3cc5ccbdc2893a288e4ad26c89dd30e33e841c43cd4cb55ee989efa9e2ecad947ab1a198a7fe2

Download Submit
\Users\Admin\AppData\Local\Temp\iWrgMWM.exe

MD5
aa8d5eec0c68de288fdd55a128e77e95

SHA1
496e01324adba5e4db50cb723cc0f4593dfdf6b3

SHA256
3d240e8f42c1ea380b06300235f77423f09bae5b81021150ad4e7aaaf18e8689

SHA512
86700f73ac9da32ff9c5e6ea249ff0dd362a11ca3fd5dd4730c3cc5ccbdc2893a288e4ad26c89dd30e33e841c43cd4cb55ee989efa9e2ecad947ab1a198a7fe2

Download Submit
memory/804-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download