ryuk | 8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6 | Triage

Submit
Reports

Overview

overview

Static

static

b3846bc61c...27.exe

windows7_x64

b3846bc61c...27.exe

windows10_x64

Sharing

General

Target

4519546852245504.zip
Size

64KB
Sample

210330-t8dsmabem2
MD5

609ec98c481fbb334de9f2f9566ff945
SHA1

fa9afbe6e5492a7fd398ffa6a3a41cc5765f2461
SHA256

8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6
SHA512

1a821dce36c919e638b2be6aff8cca2bcdfa24505c9c95e65973f5c8fe67e456fd97a04df11e3661487c61d0dee12dcfcadf6fadecdfa94d67fecc88840a2f44

Score

10^/10

ryuk discovery persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Resource

win7v20201028

ryuk discovery persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Resource

win10v20201028

ryuk discovery persistence ransomware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
- Size
  
  115KB
- MD5
  
  d736f4a3fc844b4a7e970b562fbeac85
- SHA1
  
  fdd13c9b9e6c0e07f1215780c4ab742627e57917
- SHA256
  
  b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
- SHA512
  
  7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe
Score

10^/10

ryuk discovery persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ryukdiscoverypersistenceransomware

behavioral2

ryukdiscoverypersistenceransomware

© 2018-2024

Terms | Privacy