ryuk | 1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50

Analysis

max time kernel
158s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe
Size

168KB
MD5

a66f22dfd411a7481b52511ea944209a
SHA1

e723b9d32b367c127d181e122ec53e0d528b4954
SHA256

1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50
SHA512

65089f73b85d7f14b9276dac0c5653f00c3e1d958ffccda2a980201ee5141055faadbc7795d7aef6848182904112feb0af6727697e17313f082c32a189f77dd8

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe
1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe
1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2180	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	29
PID 1608 wrote to memory of 2180	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	29
PID 1608 wrote to memory of 2180	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	29
PID 1608 wrote to memory of 2180	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	29
PID 1608 wrote to memory of 2264	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	31
PID 1608 wrote to memory of 2264	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	31
PID 1608 wrote to memory of 2264	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	31
PID 1608 wrote to memory of 2264	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	31
PID 2264 wrote to memory of 2700	2264	net.exe	33
PID 2264 wrote to memory of 2700	2264	net.exe	33
PID 2264 wrote to memory of 2700	2264	net.exe	33
PID 2264 wrote to memory of 2700	2264	net.exe	33
PID 2180 wrote to memory of 2708	2180	net.exe	34
PID 2180 wrote to memory of 2708	2180	net.exe	34
PID 2180 wrote to memory of 2708	2180	net.exe	34
PID 2180 wrote to memory of 2708	2180	net.exe	34
PID 1608 wrote to memory of 8464	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	35
PID 1608 wrote to memory of 8464	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	35
PID 1608 wrote to memory of 8464	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	35
PID 1608 wrote to memory of 8464	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	35
PID 8464 wrote to memory of 8488	8464	net.exe	37
PID 8464 wrote to memory of 8488	8464	net.exe	37
PID 8464 wrote to memory of 8488	8464	net.exe	37
PID 8464 wrote to memory of 8488	8464	net.exe	37
PID 1608 wrote to memory of 8616	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	38
PID 1608 wrote to memory of 8616	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	38
PID 1608 wrote to memory of 8616	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	38
PID 1608 wrote to memory of 8616	1608	1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe	38
PID 8616 wrote to memory of 8640	8616	net.exe	40
PID 8616 wrote to memory of 8640	8616	net.exe	40
PID 8616 wrote to memory of 8640	8616	net.exe	40
PID 8616 wrote to memory of 8640	8616	net.exe	40

C:\Users\Admin\AppData\Local\Temp\1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe
"C:\Users\Admin\AppData\Local\Temp\1efee516f6e8c5004de0ac50e94330fd1e4ffbf11412130dc7ecf7833062dd50.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2700
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8488
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download