ryuk | 487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4

Analysis

max time kernel
185s
max time network
160s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/02/2022, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
Size

193KB
MD5

e197188193bc7e7a2049c8c966c2e148
SHA1

8a12a2255be5b4d42c90c5d0b9f2d4797fa3cd69
SHA256

487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4
SHA512

edf405353d643eeb038b4040b1bd1f5558ec6fded6c7ab516497d6f62c1f48d0c2d948d5bb8d6cc3ec87fd7f4f2ce883879ea20bcf86b69721629ae67a3323d8

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 1 IoCs

pid	Process
1968	WlwyBlS.exe

Loads dropped DLL 2 IoCs

pid	Process
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
1968	WlwyBlS.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
1968	WlwyBlS.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
1968	WlwyBlS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
Token: SeBackupPrivilege	1968	WlwyBlS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1968	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	29
PID 608 wrote to memory of 1968	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	29
PID 608 wrote to memory of 1968	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	29
PID 608 wrote to memory of 1968	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	29
PID 608 wrote to memory of 1060	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	30
PID 608 wrote to memory of 1060	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	30
PID 608 wrote to memory of 1060	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	30
PID 608 wrote to memory of 1060	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	30
PID 608 wrote to memory of 676	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	32
PID 608 wrote to memory of 676	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	32
PID 608 wrote to memory of 676	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	32
PID 608 wrote to memory of 676	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	32
PID 1060 wrote to memory of 1148	1060	net.exe	35
PID 1060 wrote to memory of 1148	1060	net.exe	35
PID 1060 wrote to memory of 1148	1060	net.exe	35
PID 1060 wrote to memory of 1148	1060	net.exe	35
PID 676 wrote to memory of 1520	676	net.exe	34
PID 676 wrote to memory of 1520	676	net.exe	34
PID 676 wrote to memory of 1520	676	net.exe	34
PID 676 wrote to memory of 1520	676	net.exe	34
PID 608 wrote to memory of 1624	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	36
PID 608 wrote to memory of 1624	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	36
PID 608 wrote to memory of 1624	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	36
PID 608 wrote to memory of 1624	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	36
PID 1624 wrote to memory of 2028	1624	net.exe	38
PID 1624 wrote to memory of 2028	1624	net.exe	38
PID 1624 wrote to memory of 2028	1624	net.exe	38
PID 1624 wrote to memory of 2028	1624	net.exe	38
PID 608 wrote to memory of 2260	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	39
PID 608 wrote to memory of 2260	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	39
PID 608 wrote to memory of 2260	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	39
PID 608 wrote to memory of 2260	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	39
PID 2260 wrote to memory of 2284	2260	net.exe	41
PID 2260 wrote to memory of 2284	2260	net.exe	41
PID 2260 wrote to memory of 2284	2260	net.exe	41
PID 2260 wrote to memory of 2284	2260	net.exe	41
PID 1968 wrote to memory of 3332	1968	WlwyBlS.exe	42
PID 1968 wrote to memory of 3332	1968	WlwyBlS.exe	42
PID 1968 wrote to memory of 3332	1968	WlwyBlS.exe	42
PID 1968 wrote to memory of 3332	1968	WlwyBlS.exe	42
PID 3332 wrote to memory of 3356	3332	net.exe	44
PID 3332 wrote to memory of 3356	3332	net.exe	44
PID 3332 wrote to memory of 3356	3332	net.exe	44
PID 3332 wrote to memory of 3356	3332	net.exe	44
PID 608 wrote to memory of 10076	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	45
PID 608 wrote to memory of 10076	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	45
PID 608 wrote to memory of 10076	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	45
PID 608 wrote to memory of 10076	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	45
PID 10076 wrote to memory of 10128	10076	net.exe	47
PID 10076 wrote to memory of 10128	10076	net.exe	47
PID 10076 wrote to memory of 10128	10076	net.exe	47
PID 10076 wrote to memory of 10128	10076	net.exe	47
PID 608 wrote to memory of 10960	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	48
PID 608 wrote to memory of 10960	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	48
PID 608 wrote to memory of 10960	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	48
PID 608 wrote to memory of 10960	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	48
PID 10960 wrote to memory of 10936	10960	net.exe	49
PID 10960 wrote to memory of 10936	10960	net.exe	49
PID 10960 wrote to memory of 10936	10960	net.exe	49
PID 10960 wrote to memory of 10936	10960	net.exe	49
PID 608 wrote to memory of 28604	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	52
PID 608 wrote to memory of 28604	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	52
PID 608 wrote to memory of 28604	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	52
PID 608 wrote to memory of 28604	608	487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe	52

C:\Users\Admin\AppData\Local\Temp\487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe
"C:\Users\Admin\AppData\Local\Temp\487d4698c6c938ca3e9251827a5813ddd21e26584b3459d768e457ddd4e8c4d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608
- C:\Users\Admin\AppData\Local\Temp\WlwyBlS.exe
  "C:\Users\Admin\AppData\Local\Temp\WlwyBlS.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:3356
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:40492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:40520
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1148
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1520
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2284
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:10936
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:28604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:28628
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:27724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:27780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download