ryuk

General

Target

fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303
Size

120KB
Sample

220219-31wv7affbl
MD5

8e0ce316072caa6dd41159dbd5619ece
SHA1

0adbcb1734289e7e430ed8fbe44244aadd7b50e4
SHA256

fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303
SHA512

a0f0fd7245b9fbb3edbf4d450964e7e9475855ba058e9dff0414bd98df4847a027cb0c9ff12a994bcaf651a8dd871bce924fced0e4735cfe7ec258ffa9d05df4

Score

10^/10

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '2neBqEej6'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Targets

- Target
  
  fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303
- Size
  
  120KB
- MD5
  
  8e0ce316072caa6dd41159dbd5619ece
- SHA1
  
  0adbcb1734289e7e430ed8fbe44244aadd7b50e4
- SHA256
  
  fcd5ed5542df043c9b5dcfa89aaa032e2fc965b076a138579ffb2da7bd1fe303
- SHA512
  
  a0f0fd7245b9fbb3edbf4d450964e7e9475855ba058e9dff0414bd98df4847a027cb0c9ff12a994bcaf651a8dd871bce924fced0e4735cfe7ec258ffa9d05df4
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2