Extracted

• • Target

    1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb.sample

  • Size

    132KB

  • MD5

    ab3681a8456319f1330f7525ec6935c3

  • SHA1

    244e178e2073247893025bd51eb7618173bbac29

  • SHA256

    1328dd556749d061cd4468bf907591fde215c7b6f1755bba566d9c335e479efb

  • SHA512

    63e795ba9d18e5de28ed390810d3d61f97d7db4e8e5f49d57d567331697a83447a4d169386b7b3b08fb76f02683aa9f9c273d4ea52ee1517370554c8e6f4d42d

  Score

  10^/10

  ryukdiscoveryevasionpersistenceransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2