Overview

overview

10

Static

static

0323b4326b...02.exe

windows7_x64

10

0323b4326b...02.exe

windows10_x64

10

0898a80dc2...92.exe

windows7_x64

10

0898a80dc2...92.exe

windows10_x64

10

0aaecf7f77...91.exe

windows7_x64

10

0aaecf7f77...91.exe

windows10_x64

10

16af8d85ef...38.exe

windows7_x64

8

16af8d85ef...38.exe

windows10_x64

4

180f82bbed...43.exe

windows7_x64

10

180f82bbed...43.exe

windows10_x64

10

23e95ba676...7f.exe

windows7_x64

10

23e95ba676...7f.exe

windows10_x64

10

3a6ebac4f8...ca.exe

windows7_x64

10

3a6ebac4f8...ca.exe

windows10_x64

10

41367ad447...00.exe

windows7_x64

10

41367ad447...00.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4670052304191488.zip

  • Size

    1.1MB

  • Sample

    210329-hbjnrv6hcx

  • MD5

    4dee5e8c48891cbaa6bff2e447a34780

  • SHA1

    109b56248514eb5a6b27fa9b48ac9cec6fb55d62

  • SHA256

    6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

  • SHA512

    643227614fb34b035494dee42f8285ae1dfd5c15c3b560a018786cae40ae4fcd34a427bc1a30395d238405d76d4b96c6c8797850ef2563b5ed018dfa9804c577

Score
10/10
ryukdavediscoveryransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'JZwuk732'; $torlink = 'http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'CRAny5Nq'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'nO49CJnf9vO'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Targets

    • Target

      0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

    • Size

      208KB

    • MD5

      aa5abadf25aa3f30c1c83c5d43a7ee8f

    • SHA1

      ff50650068de776d2c0a8962cbccd7ffc431327a

    • SHA256

      0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

    • SHA512

      033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

    • Target

      0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

    • Size

      124KB

    • MD5

      b16db2ad22dfe39c289f9ebd9ef4c493

    • SHA1

      23ccb60927905eb9be2a9ee4230ebac0836b611c

    • SHA256

      0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

    • SHA512

      5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral3behavioral4

    • Target

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • Size

      468KB

    • MD5

      9296a9b81bfe119bd786a6f5a8ad43ad

    • SHA1

      581cf7c453358cd94ceed70088470c32a7307c8e

    • SHA256

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • SHA512

      64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral5behavioral6

    • Target

      16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338

    • Size

      168KB

    • MD5

      f60db4476317c6d130d6102ef7571958

    • SHA1

      d4f41df13bc0f5eec21987f1e412d1d444f86681

    • SHA256

      16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338

    • SHA512

      7bbd954f12915a6867187b96ba62b846627c15a5a3167b72522c4f2bdea95be64782ce1cd65ad89f2edfaba161cb7088866283fddb4c57857cfc2ec795be82ca

    Score
    8/10
    ransomware

    • Drops file in Drivers directory

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

    • Size

      635KB

    • MD5

      a563c50c5fa0fd541248acaf72cc4e7d

    • SHA1

      4b8c12b074e20a796071aa50dc82fe2ff755e8f6

    • SHA256

      180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

    • SHA512

      d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

    Score
    10/10
    ryukdavediscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Dave packer

      Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

      dave

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral9behavioral10

    • Target

      23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

    • Size

      121KB

    • MD5

      7364f6222ac58896e8920f32e4d30aac

    • SHA1

      915fd6fb4e20909025f876f3bb453ec52e21b7be

    • SHA256

      23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

    • SHA512

      f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral11behavioral12

    • Target

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

    • Size

      200KB

    • MD5

      ad3a5956dc4e8fd6a62671a6204d11b9

    • SHA1

      aac34bd5c2f8e63dca20034f24384c2ce1d641b5

    • SHA256

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

    • SHA512

      23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13behavioral14

    • Target

      41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

    • Size

      544KB

    • MD5

      526fa2ecb5f8fee6aec4b5d7713d909a

    • SHA1

      51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

    • SHA256

      41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

    • SHA512

      f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral15behavioral16

MITRE ATT&CK Enterprise v6

Tasks