ryuk | 4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539

General

Target

4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
Size

188KB
MD5

d2d3d877e06b0181b67c6e610b40c44c
SHA1

6a0dd2ab04d5b0b6869d5b7d9b4eb591087bace9
SHA256

4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539
SHA512

320cc4f1862425d706c4d369fa5f13a62cc9f3454dae91b239a28440c14dd92972b8d1cfa4fea699dc996e67c3a4db49b4c4ed6e63329492ee6cf8f4f7059cf0

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

XaKdReS.exe

pid process

4628 XaKdReS.exe

pid	process
4628	XaKdReS.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exeXaKdReS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	XaKdReS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exeXaKdReS.exe

pid	process
5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
4628	XaKdReS.exe
4628	XaKdReS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exeXaKdReS.exe

description	pid	process
Token: SeBackupPrivilege	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
Token: SeBackupPrivilege	4628	XaKdReS.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exenet.exenet.exenet.exenet.exeXaKdReS.exenet.exenet.exe

description	pid	process	target process
PID 5088 wrote to memory of 4628	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	XaKdReS.exe
PID 5088 wrote to memory of 4628	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	XaKdReS.exe
PID 5088 wrote to memory of 4628	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	XaKdReS.exe
PID 5088 wrote to memory of 3436	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 3436	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 3436	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 3436 wrote to memory of 3632	3436	net.exe	net1.exe
PID 3436 wrote to memory of 3632	3436	net.exe	net1.exe
PID 3436 wrote to memory of 3632	3436	net.exe	net1.exe
PID 5088 wrote to memory of 4436	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 4436	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 4436	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 4436 wrote to memory of 1272	4436	net.exe	net1.exe
PID 4436 wrote to memory of 1272	4436	net.exe	net1.exe
PID 4436 wrote to memory of 1272	4436	net.exe	net1.exe
PID 5088 wrote to memory of 2668	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 2668	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 2668	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 2668 wrote to memory of 1772	2668	net.exe	net1.exe
PID 2668 wrote to memory of 1772	2668	net.exe	net1.exe
PID 2668 wrote to memory of 1772	2668	net.exe	net1.exe
PID 5088 wrote to memory of 4616	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 4616	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 5088 wrote to memory of 4616	5088	4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe	net.exe
PID 4616 wrote to memory of 3976	4616	net.exe	net1.exe
PID 4616 wrote to memory of 3976	4616	net.exe	net1.exe
PID 4616 wrote to memory of 3976	4616	net.exe	net1.exe
PID 4628 wrote to memory of 4356	4628	XaKdReS.exe	net.exe
PID 4628 wrote to memory of 4356	4628	XaKdReS.exe	net.exe
PID 4628 wrote to memory of 4356	4628	XaKdReS.exe	net.exe
PID 4628 wrote to memory of 4136	4628	XaKdReS.exe	net.exe
PID 4628 wrote to memory of 4136	4628	XaKdReS.exe	net.exe
PID 4628 wrote to memory of 4136	4628	XaKdReS.exe	net.exe
PID 4136 wrote to memory of 3048	4136	net.exe	net1.exe
PID 4136 wrote to memory of 3048	4136	net.exe	net1.exe
PID 4136 wrote to memory of 3048	4136	net.exe	net1.exe
PID 4356 wrote to memory of 3936	4356	net.exe	net1.exe
PID 4356 wrote to memory of 3936	4356	net.exe	net1.exe
PID 4356 wrote to memory of 3936	4356	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe
"C:\Users\Admin\AppData\Local\Temp\4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\XaKdReS.exe
  "C:\Users\Admin\AppData\Local\Temp\XaKdReS.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:3048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3632
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1272
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1772
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaKdReS.exe

MD5
d2d3d877e06b0181b67c6e610b40c44c

SHA1
6a0dd2ab04d5b0b6869d5b7d9b4eb591087bace9

SHA256
4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539

SHA512
320cc4f1862425d706c4d369fa5f13a62cc9f3454dae91b239a28440c14dd92972b8d1cfa4fea699dc996e67c3a4db49b4c4ed6e63329492ee6cf8f4f7059cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaKdReS.exe

MD5
d2d3d877e06b0181b67c6e610b40c44c

SHA1
6a0dd2ab04d5b0b6869d5b7d9b4eb591087bace9

SHA256
4b5b08346e369b59cae2120fcdc16b720bf2f2ec74115045cfafc24eecccb539

SHA512
320cc4f1862425d706c4d369fa5f13a62cc9f3454dae91b239a28440c14dd92972b8d1cfa4fea699dc996e67c3a4db49b4c4ed6e63329492ee6cf8f4f7059cf0

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads