ryuk | 18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398

General

Target

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe
Size

171KB
MD5

d45e2dbc5c5abe867da458accc3e6f76
SHA1

61b49fd328287fec4a58a1f65c5297935ae0c2a0
SHA256

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398
SHA512

8f63f65649c983b56cc783a5f858eea1c2e9598c724b671cb6e48d67777c7cd5d25c572ba7eae735e0808efe6262e6f4d99b1074aef7044485d516c1b2a9ba43

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe
712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 5576	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	83
PID 712 wrote to memory of 5576	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	83
PID 712 wrote to memory of 5576	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	83
PID 5576 wrote to memory of 5768	5576	net.exe	85
PID 5576 wrote to memory of 5768	5576	net.exe	85
PID 5576 wrote to memory of 5768	5576	net.exe	85
PID 712 wrote to memory of 5936	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	86
PID 712 wrote to memory of 5936	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	86
PID 712 wrote to memory of 5936	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	86
PID 5936 wrote to memory of 6036	5936	net.exe	88
PID 5936 wrote to memory of 6036	5936	net.exe	88
PID 5936 wrote to memory of 6036	5936	net.exe	88

C:\Users\Admin\AppData\Local\Temp\18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe
"C:\Users\Admin\AppData\Local\Temp\18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:5768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:6036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads