Extracted

Extracted

• • Target

    e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c

  • Size

    214KB

  • MD5

    4d3454c85d85856674bb6e835f139649

  • SHA1

    a8d64f6dddff26b423793e08994a6ee19077c1f7

  • SHA256

    e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c

  • SHA512

    e713ee2c5fe12dfa27e8294ce1a6415221cccead720dd5163d6ccb399518a810ad567db39023a763ce39a8b861b39400f1faa56d8398c7c64fa7a5fdc2010c6c

  Score

  10^/10

  ryukdiscoverypersistenceransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Executes dropped EXE

  • Modifies Installed Components in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence
  behavioral1behavioral2