ryuk | 27661d53ec6d5e1938d85b9094c94ac51d0b82e849cffeaf261abb3ccde48e5e

General

Target

27661d53ec6d5e1938d85b9094c94ac51d0b82e849cffeaf261abb3ccde48e5e.dll
Size

134KB
MD5

b1ef5d407cdc3dab603735e862d0ba45
SHA1

656ebac8cb7fed5ca33b7fccf18aa0a3265eb0f8
SHA256

27661d53ec6d5e1938d85b9094c94ac51d0b82e849cffeaf261abb3ccde48e5e
SHA512

c728dbaae2e3bc8d057b2d679c401b2239f79ab5f398b246e358f5604215ecdf9bf598469f69d284fa3b7da1d0ccbef5c213aced739fa001d618c3ae35f0e096

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'tKPGaxUEJ1'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
516	kzezATpbFrep.exe
844	TVykZJRTzlan.exe
612	KGcrQOKRRlan.exe

Loads dropped DLL 3 IoCs

pid	Process
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1640	icacls.exe
1628	icacls.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kzezATpbFrep.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\kzezATpbFrep.exe	rundll32.exe
File created	C:\Windows\SysWOW64\TVykZJRTzlan.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\TVykZJRTzlan.exe	rundll32.exe
File created	C:\Windows\SysWOW64\KGcrQOKRRlan.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\KGcrQOKRRlan.exe	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 948 wrote to memory of 1672	948	rundll32.exe	27
PID 1672 wrote to memory of 516	1672	rundll32.exe	28
PID 1672 wrote to memory of 516	1672	rundll32.exe	28
PID 1672 wrote to memory of 516	1672	rundll32.exe	28
PID 1672 wrote to memory of 516	1672	rundll32.exe	28
PID 1672 wrote to memory of 844	1672	rundll32.exe	31
PID 1672 wrote to memory of 844	1672	rundll32.exe	31
PID 1672 wrote to memory of 844	1672	rundll32.exe	31
PID 1672 wrote to memory of 844	1672	rundll32.exe	31
PID 1672 wrote to memory of 612	1672	rundll32.exe	32
PID 1672 wrote to memory of 612	1672	rundll32.exe	32
PID 1672 wrote to memory of 612	1672	rundll32.exe	32
PID 1672 wrote to memory of 612	1672	rundll32.exe	32
PID 1672 wrote to memory of 1628	1672	rundll32.exe	33
PID 1672 wrote to memory of 1628	1672	rundll32.exe	33
PID 1672 wrote to memory of 1628	1672	rundll32.exe	33
PID 1672 wrote to memory of 1628	1672	rundll32.exe	33
PID 1672 wrote to memory of 1640	1672	rundll32.exe	35
PID 1672 wrote to memory of 1640	1672	rundll32.exe	35
PID 1672 wrote to memory of 1640	1672	rundll32.exe	35
PID 1672 wrote to memory of 1640	1672	rundll32.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27661d53ec6d5e1938d85b9094c94ac51d0b82e849cffeaf261abb3ccde48e5e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\27661d53ec6d5e1938d85b9094c94ac51d0b82e849cffeaf261abb3ccde48e5e.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\kzezATpbFrep.exe
    "C:\Windows\SysWOW64\kzezATpbFrep.exe" 9 REP
    3⤵
    - Executes dropped EXE
    PID:516
- - C:\Windows\SysWOW64\TVykZJRTzlan.exe
    "C:\Windows\SysWOW64\TVykZJRTzlan.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\SysWOW64\KGcrQOKRRlan.exe
    "C:\Windows\SysWOW64\KGcrQOKRRlan.exe" 8 LAN
    3⤵
    - Executes dropped EXE
    PID:612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1628
- - C:\Windows\SysWOW64\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing