Overview

overview

10

Static

static

8

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Ryuk

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mysteryRyuk.zip

  • Size

    3.2MB

  • Sample

    210423-g9fp63s9rx

  • MD5

    0e159d601ad7a0f141cf0f5e373cadc8

  • SHA1

    073b5a691a9823bd82b0bdc8398319528f2e42fb

  • SHA256

    58c50cebcd8465aff4672fdf8beae81678bd16409addfaa8135506ca90967822

  • SHA512

    b9653c2ab9b655707335bb4ec7b76f0dff4385839fade9e2b0c78eb5c2a086fa25aaf0ee41754d42c2cdfe9afc8a26b0b6099f54e1ec9afb05bae166fad09907

Score
10/10
ryukdavediscoveryransomwareupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'spyZ3Hxws'; $torlink = 'http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '2neBqEej6'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'ky0SRjh'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '5PcRSFW'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Targets

    • Target

      09472e7d9209b7cfc3bbc2e815a2aa843133395b

    • Size

      125KB

    • MD5

      66970cb2a5663b9ee15595096bb7d269

    • SHA1

      09472e7d9209b7cfc3bbc2e815a2aa843133395b

    • SHA256

      dcc3d3684420b9d998f854e68755246eda0d1b5a5d3f0b3e28ea1e82f32b16d6

    • SHA512

      2bba4be7e6e7f7959e7298387d0841643cb75904d7fd74032ccfca70fac5bf6b6d43feb6617f4e6d090ec5e671613fd4ad14ac6869ea3ff819d12fa9a96b58cf

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

    • Target

      1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

    • Size

      274KB

    • MD5

      4d74af75deddc969fef5fd89e65fa251

    • SHA1

      1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

    • SHA256

      8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

    • SHA512

      56cbd165259045e262b064bc1d5dd242304ef30f34b9b899b9295f79aabba02cb09438ab0c429c3828b5c13e8ebcb8f5dbae85eb4c9490f65cec9807a24d062c

    Score
    10/10
    ryukdavediscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

      dave

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral2

    • Target

      2b10ad4890c4d6e2861533cc7260a9fdc7871ea2

    • Size

      157KB

    • MD5

      c1da496d8ab64225db031361a3f265a3

    • SHA1

      2b10ad4890c4d6e2861533cc7260a9fdc7871ea2

    • SHA256

      c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28

    • SHA512

      8ead9423e31cdee8388704d7b38a9c6d4b33a9d09e729b73c70c69d5e4e09ad0fcb192dd866a1cf0a9283e099bd7d44ecb75607b63e5e5dcffc087cd60b5a047

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3

    • Target

      352b1f3533ded8c575246d4466f68c49

    • Size

      545KB

    • MD5

      352b1f3533ded8c575246d4466f68c49

    • SHA1

      e430730620feec3673b9c38d87482c9294421b19

    • SHA256

      b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

    • SHA512

      db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral4

    • Target

      45295780f2ba837be42ccf50710bd2b5

    • Size

      136KB

    • MD5

      45295780f2ba837be42ccf50710bd2b5

    • SHA1

      f937b1b7b3593a38702f870077658a891974edda

    • SHA256

      60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

    • SHA512

      588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5

    • Target

      4d74af75deddc969fef5fd89e65fa251

    • Size

      274KB

    • MD5

      4d74af75deddc969fef5fd89e65fa251

    • SHA1

      1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

    • SHA256

      8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

    • SHA512

      56cbd165259045e262b064bc1d5dd242304ef30f34b9b899b9295f79aabba02cb09438ab0c429c3828b5c13e8ebcb8f5dbae85eb4c9490f65cec9807a24d062c

    Score
    10/10
    ryukdiscoveryransomwareupx

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral6

    • Target

      60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

    • Size

      136KB

    • MD5

      45295780f2ba837be42ccf50710bd2b5

    • SHA1

      f937b1b7b3593a38702f870077658a891974edda

    • SHA256

      60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

    • SHA512

      588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7

    • Target

      75a3cf8ced873ee7bc415e27e108496b

    • Size

      140KB

    • MD5

      75a3cf8ced873ee7bc415e27e108496b

    • SHA1

      ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

    • SHA256

      5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

    • SHA512

      7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral8

    • Target

      7dee29fbeb5af549cb8a68dc47adf9721eb2b726

    • Size

      139KB

    • MD5

      f65e92fae0793bc18568f743ba0df697

    • SHA1

      7dee29fbeb5af549cb8a68dc47adf9721eb2b726

    • SHA256

      aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad

    • SHA512

      879ca2f058755079341d42d496f6c6b79469bdb537a2dbeb758d0d7bc5726e56515e889f620f8bdfdafe52a4cc1f83d1c335fa75f05ac7339acf6c3cde46cafe

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral9

    • Target

      8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

    • Size

      274KB

    • MD5

      4d74af75deddc969fef5fd89e65fa251

    • SHA1

      1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

    • SHA256

      8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

    • SHA512

      56cbd165259045e262b064bc1d5dd242304ef30f34b9b899b9295f79aabba02cb09438ab0c429c3828b5c13e8ebcb8f5dbae85eb4c9490f65cec9807a24d062c

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10

    • Target

      9b40b0d3b228d9e958c8d45fb8cec64c6851d113

    • Size

      272KB

    • MD5

      975f776f11c6d36621ba5a9da6151aa2

    • SHA1

      9b40b0d3b228d9e958c8d45fb8cec64c6851d113

    • SHA256

      ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d

    • SHA512

      6d0bae9d7b4147010542ac28ba36b151d22e2a30a63ec6ac37fa112230cd575a830b23ac389a394ad3bf9cb8293869c30be8cc92614e9bab31b366155bf6edc4

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11

    • Target

      aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad

    • Size

      139KB

    • MD5

      f65e92fae0793bc18568f743ba0df697

    • SHA1

      7dee29fbeb5af549cb8a68dc47adf9721eb2b726

    • SHA256

      aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad

    • SHA512

      879ca2f058755079341d42d496f6c6b79469bdb537a2dbeb758d0d7bc5726e56515e889f620f8bdfdafe52a4cc1f83d1c335fa75f05ac7339acf6c3cde46cafe

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral12

    • Target

      aaf3abc4054f800aaa429c4f2e4b20af

    • Size

      274KB

    • MD5

      aaf3abc4054f800aaa429c4f2e4b20af

    • SHA1

      16e859c1222b7f4dba2361480ce33a0564e4cabf

    • SHA256

      de2b5aa6de6f7ff053308084217f7a9b977489027fb103729d6a7d94298c6a6b

    • SHA512

      650e515d0ec199efa74ed4bb2e0f622da609b9559d2663c990bb5310997f44785408f0ed2c35405445962abe33ba74266bc7f3c8b5afa0b8035856364f4e2de6

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13

    • Target

      ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

    • Size

      140KB

    • MD5

      75a3cf8ced873ee7bc415e27e108496b

    • SHA1

      ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

    • SHA256

      5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

    • SHA512

      7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral14

    • Target

      b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

    • Size

      545KB

    • MD5

      352b1f3533ded8c575246d4466f68c49

    • SHA1

      e430730620feec3673b9c38d87482c9294421b19

    • SHA256

      b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

    • SHA512

      db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral15

    • Target

      c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28

    • Size

      157KB

    • MD5

      c1da496d8ab64225db031361a3f265a3

    • SHA1

      2b10ad4890c4d6e2861533cc7260a9fdc7871ea2

    • SHA256

      c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28

    • SHA512

      8ead9423e31cdee8388704d7b38a9c6d4b33a9d09e729b73c70c69d5e4e09ad0fcb192dd866a1cf0a9283e099bd7d44ecb75607b63e5e5dcffc087cd60b5a047

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral16

    • Target

      de2b5aa6de6f7ff053308084217f7a9b977489027fb103729d6a7d94298c6a6b

    • Size

      274KB

    • MD5

      aaf3abc4054f800aaa429c4f2e4b20af

    • SHA1

      16e859c1222b7f4dba2361480ce33a0564e4cabf

    • SHA256

      de2b5aa6de6f7ff053308084217f7a9b977489027fb103729d6a7d94298c6a6b

    • SHA512

      650e515d0ec199efa74ed4bb2e0f622da609b9559d2663c990bb5310997f44785408f0ed2c35405445962abe33ba74266bc7f3c8b5afa0b8035856364f4e2de6

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral17

    • Target

      e430730620feec3673b9c38d87482c9294421b19

    • Size

      545KB

    • MD5

      352b1f3533ded8c575246d4466f68c49

    • SHA1

      e430730620feec3673b9c38d87482c9294421b19

    • SHA256

      b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

    • SHA512

      db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral18

    • Target

      ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d

    • Size

      272KB

    • MD5

      975f776f11c6d36621ba5a9da6151aa2

    • SHA1

      9b40b0d3b228d9e958c8d45fb8cec64c6851d113

    • SHA256

      ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d

    • SHA512

      6d0bae9d7b4147010542ac28ba36b151d22e2a30a63ec6ac37fa112230cd575a830b23ac389a394ad3bf9cb8293869c30be8cc92614e9bab31b366155bf6edc4

    Score
    10/10
    ryukdiscoveryransomwareupx

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral19

    • Target

      f2e040d2c5fea1fb5e9797f7deff0a63

    • Size

      344KB

    • MD5

      f2e040d2c5fea1fb5e9797f7deff0a63

    • SHA1

      849b7b68625d04f4f9057f29994aa59a58f18060

    • SHA256

      74fa89264f62a68f1f0a24c508b8f203bcbe6be60cb66a711a468d676fa53335

    • SHA512

      73dff4b7b551ba2b942edd778c8c0855a0f16c54519967d75f0ab33c7dcb94f2660dc81730f2207af2341506425491cb4434e8e831257c8845013b9dc5ee27db

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral20

    • Target

      f937b1b7b3593a38702f870077658a891974edda

    • Size

      136KB

    • MD5

      45295780f2ba837be42ccf50710bd2b5

    • SHA1

      f937b1b7b3593a38702f870077658a891974edda

    • SHA256

      60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

    • SHA512

      588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

    Score
    10/10
    ryukdiscoveryransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery
    behavioral21

MITRE ATT&CK Enterprise v6

Tasks

static1

upx
Score
8/10

behavioral1

ryukdiscoveryransomware
Score
10/10

behavioral2

ryukdavediscoveryransomware
Score
10/10

behavioral3

ryukdiscoveryransomware
Score
10/10

behavioral4

ryukdiscoveryransomware
Score
10/10

behavioral5

ryukdiscoveryransomware
Score
10/10

behavioral6

ryukdiscoveryransomwareupx
Score
10/10

behavioral7

ryukdiscoveryransomware
Score
10/10

behavioral8

ryukdiscoveryransomware
Score
10/10

behavioral9

ryukdiscoveryransomware
Score
10/10

behavioral10

ryukdiscoveryransomware
Score
10/10

behavioral11

ryukdiscoveryransomware
Score
10/10

behavioral12

ryukdiscoveryransomware
Score
10/10

behavioral13

ryukdiscoveryransomware
Score
10/10

behavioral14

ryukdiscoveryransomware
Score
10/10

behavioral15

ryukdiscoveryransomware
Score
10/10

behavioral16

ryukdiscoveryransomware
Score
10/10

behavioral17

ryukdiscoveryransomware
Score
10/10

behavioral18

ryukdiscoveryransomware
Score
10/10

behavioral19

ryukdiscoveryransomwareupx
Score
10/10

behavioral20

ryukdiscoveryransomware
Score
10/10

behavioral21

ryukdiscoveryransomware
Score
10/10