ryuk | 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

General

Target

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
Size

1.2MB
MD5

0ecf16ceba335bcdc023ab71472a247f
SHA1

60b08b42bc540491f978185c0a5e3a28dbda4364
SHA256

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
SHA512

0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

aragycred1983@protonmail.com balance of shadow universe Ryuk

Emails

aragycred1983@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2144-138-0x0000000002360000-0x0000000002384000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

RHddzbjDzlan.exexDWSpQhpOlan.exexaMrJcRMulan.exe

pid process

1752 RHddzbjDzlan.exe
3912 xDWSpQhpOlan.exe
2548 xaMrJcRMulan.exe

pid	process
1752	RHddzbjDzlan.exe
3912	xDWSpQhpOlan.exe
2548	xaMrJcRMulan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3848 icacls.exe
800 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exeRHddzbjDzlan.exexDWSpQhpOlan.exexaMrJcRMulan.exe

pid process

2144 1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
1752 RHddzbjDzlan.exe
3912 xDWSpQhpOlan.exe
2548 xaMrJcRMulan.exe

pid	process
3848	icacls.exe
800	icacls.exe

pid	process
2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
1752	RHddzbjDzlan.exe
3912	xDWSpQhpOlan.exe
2548	xaMrJcRMulan.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe

description	pid	process	target process
PID 2144 wrote to memory of 1752	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	RHddzbjDzlan.exe
PID 2144 wrote to memory of 1752	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	RHddzbjDzlan.exe
PID 2144 wrote to memory of 1752	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	RHddzbjDzlan.exe
PID 2144 wrote to memory of 3912	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	xDWSpQhpOlan.exe
PID 2144 wrote to memory of 3912	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	xDWSpQhpOlan.exe
PID 2144 wrote to memory of 3912	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	xDWSpQhpOlan.exe
PID 2144 wrote to memory of 2548	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	xaMrJcRMulan.exe
PID 2144 wrote to memory of 2548	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	xaMrJcRMulan.exe
PID 2144 wrote to memory of 2548	2144	1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe	xaMrJcRMulan.exe

C:\Users\Admin\AppData\Local\Temp\1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe
"C:\Users\Admin\AppData\Local\Temp\1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe
"C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe
"C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe
"C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3848

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe
Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RHddzbjDzlan.exe
Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe
Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDWSpQhpOlan.exe
Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe
Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaMrJcRMulan.exe
Filesize
1.2MB

MD5
0ecf16ceba335bcdc023ab71472a247f

SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364

SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09

SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1

Download Submit
C:\users\Public\RyukReadMe.html
Filesize
620B

MD5
30216037d54b0c1d9509f6f0610c9007

SHA1
963de1f69a00dce5a86e0307b0986e9f2f41f0b1

SHA256
de79f986f67a452df6237e36fd3d31c87235dbfe8986eab7ffd3a2b598cf2474

SHA512
ac0e568dbadbdee7a826dcce3f3f009da61b07cff24e2d9dfbc4972bf4b0a0a94cb1c6ddf050c416bf85bee4e5702c8bdf2c7efa0cfc5fc55a03283d6a06e2c6

Download Submit
memory/800-174-0x0000000000000000-mapping.dmp

Download
memory/1752-139-0x0000000000000000-mapping.dmp

Download
memory/1752-142-0x0000000002370000-0x0000000002396000-memory.dmp

Filesize
152KB

Download
memory/2144-130-0x0000000002390000-0x00000000023B6000-memory.dmp

Filesize
152KB

Download
memory/2144-138-0x0000000002360000-0x0000000002384000-memory.dmp

Filesize
144KB

Download
memory/2144-134-0x0000000035000000-0x000000003502B000-memory.dmp

Filesize
172KB

Download
memory/2548-161-0x0000000000000000-mapping.dmp

Download
memory/2548-164-0x0000000002130000-0x0000000002156000-memory.dmp

Filesize
152KB

Download
memory/3848-173-0x0000000000000000-mapping.dmp

Download
memory/3912-153-0x00000000026B0000-0x00000000026D6000-memory.dmp

Filesize
152KB

Download
memory/3912-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads