ryuk

General

Target

d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f
Size

192KB
Sample

220220-bxhevafdd3
MD5

9c2f2398a853063303817e181b7cd140
SHA1

f0c032844d33537e7f270374f1f1c28ef7670683
SHA256

d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f
SHA512

4ad5d989e5e50c7cd9a5f65de4312fe63e53c97ceddd9b33a4a026c1b2fccdc27ac7406f3ec38132fb6da6c5439396bed2fee482775f55e265934fdc80425319

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f
- Size
  
  192KB
- MD5
  
  9c2f2398a853063303817e181b7cd140
- SHA1
  
  f0c032844d33537e7f270374f1f1c28ef7670683
- SHA256
  
  d4b8cbfa94bac3dbd58452fcc6c4e0b56b65a54a671a2184d9fb6e3694a0266f
- SHA512
  
  4ad5d989e5e50c7cd9a5f65de4312fe63e53c97ceddd9b33a4a026c1b2fccdc27ac7406f3ec38132fb6da6c5439396bed2fee482775f55e265934fdc80425319
Score

10^/10

ryuk persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2