ryuk

General

Target

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2
Size

187KB
Sample

220220-fsva3aaadl
MD5

2ee9a7ce3356c032d49c1947761c63b2
SHA1

30181311c46b89cc3e01d3d8207c4c533199fa88
SHA256

8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2
SHA512

d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2
- Size
  
  187KB
- MD5
  
  2ee9a7ce3356c032d49c1947761c63b2
- SHA1
  
  30181311c46b89cc3e01d3d8207c4c533199fa88
- SHA256
  
  8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2
- SHA512
  
  d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2