ryuk | 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

General

Target

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
Size

1.2MB
MD5

0ecf16ceba335bcdc023ab71472a247f
SHA1

60b08b42bc540491f978185c0a5e3a28dbda4364
SHA256

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA512

0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral2/memory/2144-138-0x0000000002360000-0x0000000002384000-memory.dmp	dave

Executes dropped EXE 3 IoCs

pid	Process
1752	RHddzbjDzlan.exe
3912	xDWSpQhpOlan.exe
2548	xaMrJcRMulan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3848	icacls.exe
800	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
1752	RHddzbjDzlan.exe
3912	xDWSpQhpOlan.exe
2548	xaMrJcRMulan.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1752	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	86
PID 2144 wrote to memory of 1752	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	86
PID 2144 wrote to memory of 1752	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	86
PID 2144 wrote to memory of 3912	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	89
PID 2144 wrote to memory of 3912	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	89
PID 2144 wrote to memory of 3912	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	89
PID 2144 wrote to memory of 2548	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	90
PID 2144 wrote to memory of 2548	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	90
PID 2144 wrote to memory of 2548	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	90

C:\Users\Admin\AppData\Local\Temp\1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
"C:\Users\Admin\AppData\Local\Temp\1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe
  "C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe
  "C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3912
- C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe
  "C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3848
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe

Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe

Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe

Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe

Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe

Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe

Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
30216037d54b0c1d9509f6f0610c9007

SHA1
963de1f69a00dce5a86e0307b0986e9f2f41f0b1

SHA256
de79f986f67a452df6237e36fd3d31c87235dbfe8986eab7ffd3a2b598cf2474

SHA512
ac0e568dbadbdee7a826dcce3f3f009da61b07cff24e2d9dfbc4972bf4b0a0a94cb1c6ddf050c416bf85bee4e5702c8bdf2c7efa0cfc5fc55a03283d6a06e2c6

Download Submit
memory/1752-142-0x0000000002370000-0x0000000002396000-memory.dmp

Filesize
152KB

Download
memory/2144-130-0x0000000002390000-0x00000000023B6000-memory.dmp

Filesize
152KB

Download
memory/2144-138-0x0000000002360000-0x0000000002384000-memory.dmp

Filesize
144KB

Download
memory/2144-134-0x0000000035000000-0x000000003502B000-memory.dmp

Filesize
172KB

Download
memory/2548-164-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/3912-153-0x00000000026B0000-0x00000000026D6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing