Overview

overview

10

Static

static

rudZqlH.exe

windows7_x64

10

rudZqlH.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rudZqlH.ZIP.zip

  • Size

    146KB

  • Sample

    210307-wl3ab9nen2

  • MD5

    fdb06e9e6c295e910342f70afe720c74

  • SHA1

    5f24316922e2d3e0a0e086ac16b6cafeb929cd56

  • SHA256

    42115345e6724d8aec1aad5d19ffd8a8aae03c504bee41334fccc3f168ac0662

  • SHA512

    8ca8817fb29126d83127a330ff9d03d1e782c93e4e9c0188965f8b0123e152d879324046fee35a7948415ac239d9fa2648c2d007bd30df8d02fe686b82dc455e

Score
10/10
ryukdiscoverypersistenceransomware

Malware Config

Targets

    • Target

      rudZqlH.exe

    • Size

      254KB

    • MD5

      4540720d38ed99bceeb97161ca1ff401

    • SHA1

      5714dfd839db561ebcb3cccfcb6f0e39ef644f7b

    • SHA256

      4a87552c4238cdcf1b8611da467164e609da339ff897c50ad4d04aa105ec55bb

    • SHA512

      2be902451da4262ed9899ecd570e12f31516f4d937909ee8e99f2c5dfcdbd7a218cc4eda494357678067ccc58a674944d08150248707a96e7d64ff01b83f0dbf

    Score
    10/10
    ryukdiscoverypersistenceransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks