General
-
Target
9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
-
Size
202KB
-
Sample
220220-e5z7eagga2
-
MD5
547f87db796b69e28453b142e9da9ed4
-
SHA1
019faca2d3d5675a6d6bbcd00629c8fe33d54705
-
SHA256
9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
-
SHA512
682e6cb1d510119c9897ed25a62bc436be21e3f00deccf952897b234e36444c2ebd85ef906086dfc432a491d4f3c9a63d1ab2c0e23626ac71a863521109d1eb5
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
Targets
-
-
Target
9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
-
Size
202KB
-
MD5
547f87db796b69e28453b142e9da9ed4
-
SHA1
019faca2d3d5675a6d6bbcd00629c8fe33d54705
-
SHA256
9232dd5978aedc5919b7e2b4772cb7abcdd58c299b9b0028101d99dd2cf320fd
-
SHA512
682e6cb1d510119c9897ed25a62bc436be21e3f00deccf952897b234e36444c2ebd85ef906086dfc432a491d4f3c9a63d1ab2c0e23626ac71a863521109d1eb5
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-