ryuk

General

Target

3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8
Size

193KB
Sample

220220-j8v43sbeer
MD5

cb5e16ee3c210f4112a244b577c749ba
SHA1

5f8b636dcc5ad2a77fe96923cdce67277b584317
SHA256

3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8
SHA512

5ca67a4df63a73fa1062c89b9f114fc4e828597ff67d1679c0bb7bbcddb66d04d8ed02b91b5e1ec210196b2e4a8331d3564e65fd6149dfb3af0144cc12131bf3

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8
- Size
  
  193KB
- MD5
  
  cb5e16ee3c210f4112a244b577c749ba
- SHA1
  
  5f8b636dcc5ad2a77fe96923cdce67277b584317
- SHA256
  
  3b37696309e8ff7dd21717ff9edfcfab3840e62236b49a1cf6f470ee9074faf8
- SHA512
  
  5ca67a4df63a73fa1062c89b9f114fc4e828597ff67d1679c0bb7bbcddb66d04d8ed02b91b5e1ec210196b2e4a8331d3564e65fd6149dfb3af0144cc12131bf3
Score

10^/10

ryuk persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2