ryuk | 92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed | Triage

Sharing

General

Target

92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.bin
Size

353KB
Sample

201027-x88gy8282x
MD5

1737388ce8b0b5fc2dbc22f5b7352b7c
SHA1

e62135254b3a51f0180e70a11e4c3ad4a59f81c4
SHA256

92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed
SHA512

e47d6fe5049e3019dfb1161bfaf7038171dad39c657200c115cbc26f2be46ead92319e20e5e77e0e91ad93d17562090dda75efc5fb5fb22bef1d47df2aef657b

Score

10^/10

ryuk discovery ransomware spyware

Malware Config

Targets

- Target
  
  92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed.bin
- Size
  
  353KB
- MD5
  
  1737388ce8b0b5fc2dbc22f5b7352b7c
- SHA1
  
  e62135254b3a51f0180e70a11e4c3ad4a59f81c4
- SHA256
  
  92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed
- SHA512
  
  e47d6fe5049e3019dfb1161bfaf7038171dad39c657200c115cbc26f2be46ead92319e20e5e77e0e91ad93d17562090dda75efc5fb5fb22bef1d47df2aef657b
Score

10^/10

ryuk discovery ransomware spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ryukdiscoveryransomwarespyware

behavioral2

ryukdiscoveryransomwarespyware