Extracted

• • Target

    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

  • Size

    384KB

  • MD5

    5ac0f050f93f86e69026faea1fbb4450

  • SHA1

    9709774fde9ec740ad6fed8ed79903296ca9d571

  • SHA256

    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

  • SHA512

    b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

  Score

  10^/10

  ryukpersistenceransomwarespywarestealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Executes dropped EXE

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2