ryuk | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

General

Target

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
Size

117KB
MD5

045eb328ff30b09cebd6fe3c031db7bc
SHA1

b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512

6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

MmFTIiMoZrep.exenVpoSqBRLlan.exekJGwghwrBlan.exe

pid process

2876 MmFTIiMoZrep.exe
2800 nVpoSqBRLlan.exe
5040 kJGwghwrBlan.exe

pid	process
2876	MmFTIiMoZrep.exe
2800	nVpoSqBRLlan.exe
5040	kJGwghwrBlan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

7544 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
7544	icacls.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

pid	process
1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

description	pid	process	target process
PID 1700 wrote to memory of 2876	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	MmFTIiMoZrep.exe
PID 1700 wrote to memory of 2876	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	MmFTIiMoZrep.exe
PID 1700 wrote to memory of 2876	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	MmFTIiMoZrep.exe
PID 1700 wrote to memory of 2800	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	nVpoSqBRLlan.exe
PID 1700 wrote to memory of 2800	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	nVpoSqBRLlan.exe
PID 1700 wrote to memory of 2800	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	nVpoSqBRLlan.exe
PID 1700 wrote to memory of 5040	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	kJGwghwrBlan.exe
PID 1700 wrote to memory of 5040	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	kJGwghwrBlan.exe
PID 1700 wrote to memory of 5040	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	kJGwghwrBlan.exe
PID 1700 wrote to memory of 7544	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1700 wrote to memory of 7544	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe
PID 1700 wrote to memory of 7544	1700	379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
"C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
"C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2800

C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
"C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:7544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
MD5
045eb328ff30b09cebd6fe3c031db7bc

SHA1
b28cd818c54d7a4f5416728a8f8408e6c9c40bc2

SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

SHA512
6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

Download Submit
C:\users\Public\RyukReadMe.html
MD5
2ebc1b0ea162294be2a9d7466ebb5a90

SHA1
0383e7bb7f0e8e06afab4d70db4b4d330499cc27

SHA256
6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb

SHA512
978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads