ryuk | 1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb | Triage

Submit
Reports

Overview

overview

Static

static

1328dd5567...le.exe

windows7_x64

1328dd5567...le.exe

windows10_x64

Sharing

General

Target

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample
Size

132KB
Sample

210726-tmj64h8ygj
MD5

ab3681a8456319f1330f7525ec6935c3
SHA1

244e178e2073247893025bd51eb7618173bbac29
SHA256

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
SHA512

63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

Score

10^/10

ryuk discovery evasion persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Resource

win7v20210408

ryuk discovery evasion persistence ransomware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample.exe

Resource

win10v20210408

ryuk discovery evasion persistence ransomware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

orfhissipmay1970@protonmail.com balance of shadow universe Ryuk

Emails

orfhissipmay1970@protonmail.com

Targets

- Target
  
  1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample
- Size
  
  132KB
- MD5
  
  ab3681a8456319f1330f7525ec6935c3
- SHA1
  
  244e178e2073247893025bd51eb7618173bbac29
- SHA256
  
  1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb
- SHA512
  
  63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d
Score

10^/10

ryuk discovery evasion persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

File Permissions Modification

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ryukdiscoveryevasionpersistenceransomware

behavioral2

ryukdiscoveryevasionpersistenceransomware

© 2018-2024

Terms | Privacy