ryuk | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

General

Target

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Size

117KB
MD5

045eb328ff30b09cebd6fe3c031db7bc
SHA1

b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512

6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
1688	OKIzIqFIfrep.exe
392	WffDgOMpjlan.exe
1944	FBbBrmbdQlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
26188	icacls.exe
26196	icacls.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	29
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	29
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	29
PID 1544 wrote to memory of 1688	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	29
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	30
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	30
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	30
PID 1544 wrote to memory of 392	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	30
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	31
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	31
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	31
PID 1544 wrote to memory of 1944	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	31
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	32
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	32
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	32
PID 1544 wrote to memory of 26188	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	32
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	33
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	33
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	33
PID 1544 wrote to memory of 26196	1544	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	33

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
  "C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
  "C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
  "C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:26188
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:26196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1544-98-0x000000000BAD0000-0x000000000C58A000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing