ryuk | 73521579fba19f498b9a325b0b40f4f25cc90c4b5143b00a7f01cfec2d63e8c9 | Triage

Sharing

General

Target

Ryuk.Ransom.bin.zip
Size

136KB
Sample

201116-a5d8c3xyqn
MD5

8e67c5e35d8a5e4551a162124b3db5be
SHA1

bcbd44876a34d3a596ce3c4383ba6ac8a46b1e56
SHA256

73521579fba19f498b9a325b0b40f4f25cc90c4b5143b00a7f01cfec2d63e8c9
SHA512

861c9be279edc230bfeadd473765a26cf04fc6592a591dc3bf27fc0addccac5792b53a64ee5bdb570208aa23ba6a20f113f0c5bc49f5f5835b9189a363a2534f

Score

10^/10

ryuk discovery persistence ransomware spyware

Malware Config

Targets

- Target
  
  Ryuk.Ransom.bin
- Size
  
  196KB
- MD5
  
  2e66f487fedc2c5b3550a99c0f64e93c
- SHA1
  
  833b671237f563cf8bd7daa82b17850c139a8261
- SHA256
  
  4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4
- SHA512
  
  f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58
Score

10^/10

ryuk discovery persistence ransomware spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Deletion

File Permissions Modification

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ryukdiscoverypersistenceransomwarespyware

behavioral2

ryukdiscoverypersistenceransomwarespyware