Overview

overview

10

Static

static

xXx.exe

windows7_x64

10

xXx.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xXx.exe

  • Size

    298KB

  • Sample

    210309-8k3egh7cw6

  • MD5

    81bb3763db2a1affb2bf64ec94032227

  • SHA1

    a4697a87c564905d01e26051e565dd02acac0c0a

  • SHA256

    0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014

  • SHA512

    918322d20b18309e84d264c6ece39d822b708d0bdbed70f8045841e04284c67560e0b0e5238d32d15e8b41d27f841318e8c39fb75a42ee0a4a1a6d6896f47b2e

Score
10/10
ryukdiscoverypersistenceransomware

Malware Config

Targets

    • Target

      xXx.exe

    • Size

      298KB

    • MD5

      81bb3763db2a1affb2bf64ec94032227

    • SHA1

      a4697a87c564905d01e26051e565dd02acac0c0a

    • SHA256

      0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014

    • SHA512

      918322d20b18309e84d264c6ece39d822b708d0bdbed70f8045841e04284c67560e0b0e5238d32d15e8b41d27f841318e8c39fb75a42ee0a4a1a6d6896f47b2e

    Score
    10/10
    ryukdiscoverypersistenceransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks