Overview

overview

10

Static

static

Ryuk

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    parsimonious-stage.exe

  • Size

    123KB

  • Sample

    210422-1k3hvz13se

  • MD5

    bbcc8fa58b88f33072443389a790295a

  • SHA1

    8d72096b46e5fcf5489826e510ffc19aa2007aaa

  • SHA256

    97fc2de5893ec046b4c12520a7fca2afe25254f0959dcd39796da90336f3c1ad

  • SHA512

    cd9ac7f25517fd5d96d84e37087d198aeb02dd32ff7034349c65c91ec9c01693f7ed23b141829d1f5846814d9618c82fae5fd0fe8ed82476d618b04acf79a296

Score
10/10
ryukdiscoveryransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Targets

    • Target

      parsimonious-stage.exe

    • Size

      123KB

    • MD5

      bbcc8fa58b88f33072443389a790295a

    • SHA1

      8d72096b46e5fcf5489826e510ffc19aa2007aaa

    • SHA256

      97fc2de5893ec046b4c12520a7fca2afe25254f0959dcd39796da90336f3c1ad

    • SHA512

      cd9ac7f25517fd5d96d84e37087d198aeb02dd32ff7034349c65c91ec9c01693f7ed23b141829d1f5846814d9618c82fae5fd0fe8ed82476d618b04acf79a296

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks