ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

General

Target

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479
SSDEEP

6144:LA+0uP79QAbIhsU2Hl7A6P+ZT6EnW5TMGRx4S7SM22C4:LACbIhs5He6PtgvS7SM2T4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral1/memory/1400-4-0x00000000003D0000-0x00000000003F2000-memory.dmp	dave

Executes dropped EXE 3 IoCs

pid	Process
2556	ZdHGToTNbrep.exe
2376	ZwaNijxAulan.exe
636	hPDgJQxzvlan.exe

Loads dropped DLL 3 IoCs

pid	Process
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2580	icacls.exe
284	icacls.exe
2348	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
2556	ZdHGToTNbrep.exe
2556	ZdHGToTNbrep.exe
2376	ZwaNijxAulan.exe
2376	ZwaNijxAulan.exe
636	hPDgJQxzvlan.exe
636	hPDgJQxzvlan.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2556	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	28
PID 1400 wrote to memory of 2556	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	28
PID 1400 wrote to memory of 2556	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	28
PID 1400 wrote to memory of 2556	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	28
PID 1400 wrote to memory of 2376	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	31
PID 1400 wrote to memory of 2376	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	31
PID 1400 wrote to memory of 2376	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	31
PID 1400 wrote to memory of 2376	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	31
PID 1400 wrote to memory of 636	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	32
PID 1400 wrote to memory of 636	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	32
PID 1400 wrote to memory of 636	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	32
PID 1400 wrote to memory of 636	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	32
PID 1400 wrote to memory of 2348	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	33
PID 1400 wrote to memory of 2348	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	33
PID 1400 wrote to memory of 2348	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	33
PID 1400 wrote to memory of 2348	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	33
PID 1400 wrote to memory of 284	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	34
PID 1400 wrote to memory of 284	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	34
PID 1400 wrote to memory of 284	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	34
PID 1400 wrote to memory of 284	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	34
PID 1400 wrote to memory of 2580	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	35
PID 1400 wrote to memory of 2580	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	35
PID 1400 wrote to memory of 2580	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	35
PID 1400 wrote to memory of 2580	1400	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	35

C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
"C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\ZdHGToTNbrep.exe
  "C:\Users\Admin\AppData\Local\Temp\ZdHGToTNbrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\ZwaNijxAulan.exe
  "C:\Users\Admin\AppData\Local\Temp\ZwaNijxAulan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\hPDgJQxzvlan.exe
  "C:\Users\Admin\AppData\Local\Temp\hPDgJQxzvlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:636
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2348
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:284
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2580
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4000
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
0af9cf847cfa886ab5d0e8bd413da103

SHA1
3648c28f2d93f6b023e81e3458504ef2b86d5d20

SHA256
00fdfb7ffdffc5dc76ffd40ea02389cb44b3571d338a6b7fdeccdbbe862ed158

SHA512
a6e96e3ef05ea8ba0c7d5c855dc9768e4f61fc2a77955b251b4a7f492f225abd94bb3674ac46ff4e02a4c56e7166c64d33ca7ad2f3f2efeb8efe53b2a36d2d06

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
25a72f75d899ad7c51117bc9c17848bb

SHA1
c8beb8cbbb75eec938388a14675aa4d454c03738

SHA256
873eecb6fa861c255ee89b6f016a944d9c9c7da6db7a50c24311d18212e4db95

SHA512
e52427cd179ab593dbefee6420152e37e254e8178a0964111eb42122e5a0b29de672ec30947b4ee4745db0aef6eaa1a3fabea032cf901e2d8c23f6f8877bb2fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
1KB

MD5
60c4ca074c0ad9bad5db796a7336458e

SHA1
e01f0f69d26e348f61d8a91996978186cf5a8f0f

SHA256
b6db4f7046fed362ea8bd32242891b1c04450ae13a10164635cddfb51b2f6979

SHA512
bd8b15b522026099a479de852c65798fb3513a118a7dd34adae734bf21276184a7e444dd20483c4d0e9e311ece9e87c24e441f8e0084d1616a2f29d94944d0ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
1KB

MD5
ebfdc1499b826060056b3549c85a9743

SHA1
f30743b50623ebb934d2df5870012b5ad5351e49

SHA256
98ee5c7be7915ad05a88fc6b02b1f26f74e6b3791010d7101c5fedc2c09eb137

SHA512
638751d42c9cd4c3b6c0146ca3eb8c0c1cbc656eed00ac2b6aefb7cba9a07c0c14da47e2b6c8c1771df27aa21a48a5d600e0d5ce9224c86abe1d9187dce0f9c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
1KB

MD5
ef0cec89a0ed0b60cc3760f3e730af25

SHA1
d4d3ea37bf9c1a58c6f4338446a016e60c010926

SHA256
23147e47897803d898a81fa4b03efc03ddc926bb4209cc441de3578e77a61cef

SHA512
a3f5404efdde5badaaadf111d0f63ee405aed2742a3ffcce92f75d8b2167c9e6fe8c4de9b9ffbb7d8fdc537f542a7c5fd51ea2dec3ba0b4c09f5a9e44ff52580

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
\Users\Admin\AppData\Local\Temp\ZdHGToTNbrep.exe

Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
memory/636-65-0x0000000001DC0000-0x0000000001DE4000-memory.dmp

Filesize
144KB

Download
memory/1400-3-0x00000000004F0000-0x0000000000514000-memory.dmp

Filesize
144KB

Download
memory/1400-4-0x00000000003D0000-0x00000000003F2000-memory.dmp

Filesize
136KB

Download
memory/1400-8-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2376-44-0x0000000000560000-0x0000000000584000-memory.dmp

Filesize
144KB

Download
memory/2556-82-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-91-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-77-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-78-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-79-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-80-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-81-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-83-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-75-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-84-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-86-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-85-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-87-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-88-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-89-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-76-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-90-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-93-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-92-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-95-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-94-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-96-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-97-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-98-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-101-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-102-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-74-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-73-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2556-24-0x0000000001F30000-0x0000000001F54000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing