ryuk

General

Target

7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
Size

111KB
Sample

220220-f6l7lshbe4
MD5

cb5081d3b8af578c247dab9bd5e16841
SHA1

b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256

7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512

5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
- Size
  
  111KB
- MD5
  
  cb5081d3b8af578c247dab9bd5e16841
- SHA1
  
  b4870d7b1f6a9f531259efc74a9468d8a045d8f0
- SHA256
  
  7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
- SHA512
  
  5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2