ryuk | 18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398

General

Target

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe
Size

171KB
MD5

d45e2dbc5c5abe867da458accc3e6f76
SHA1

61b49fd328287fec4a58a1f65c5297935ae0c2a0
SHA256

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398
SHA512

8f63f65649c983b56cc783a5f858eea1c2e9598c724b671cb6e48d67777c7cd5d25c572ba7eae735e0808efe6262e6f4d99b1074aef7044485d516c1b2a9ba43

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> nowabosag1988@protonmail.com <br> pebawestsa1973@protonmail.com </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

nowabosag1988@protonmail.com

pebawestsa1973@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

pid	process
712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe
712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

description pid process

Token: SeBackupPrivilege 712 18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

description	pid	process
Token: SeBackupPrivilege	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exenet.exenet.exe

description	pid	process	target process
PID 712 wrote to memory of 5576	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	net.exe
PID 712 wrote to memory of 5576	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	net.exe
PID 712 wrote to memory of 5576	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	net.exe
PID 5576 wrote to memory of 5768	5576	net.exe	net1.exe
PID 5576 wrote to memory of 5768	5576	net.exe	net1.exe
PID 5576 wrote to memory of 5768	5576	net.exe	net1.exe
PID 712 wrote to memory of 5936	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	net.exe
PID 712 wrote to memory of 5936	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	net.exe
PID 712 wrote to memory of 5936	712	18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe	net.exe
PID 5936 wrote to memory of 6036	5936	net.exe	net1.exe
PID 5936 wrote to memory of 6036	5936	net.exe	net1.exe
PID 5936 wrote to memory of 6036	5936	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe
"C:\Users\Admin\AppData\Local\Temp\18de58d917d88c70fb842928f5b564e0a4263d472dac1d411ce455d4b7c55398.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:5768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads