ryuk

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample
Size

116KB
Sample

210726-kawf5nc3bn
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Targets

- Target
  
  473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample
- Size
  
  116KB
- MD5
  
  5c6273b024c93c5bdf557813868f9337
- SHA1
  
  eafe0287e6ae983c6f1ff68f6c7780cc3a037783
- SHA256
  
  473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
- SHA512
  
  4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2