ryuk

General

Target

80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
Size

203KB
Sample

220220-fw8mvshae8
MD5

8431a207fab74137df795fb46732544c
SHA1

abb80c03d3aa69ac38f62a447636b0fc1bf21d45
SHA256

80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA512

98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Documents and Settings\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
- Size
  
  203KB
- MD5
  
  8431a207fab74137df795fb46732544c
- SHA1
  
  abb80c03d3aa69ac38f62a447636b0fc1bf21d45
- SHA256
  
  80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
- SHA512
  
  98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db
Score

10^/10

ryuk persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2