General
-
Target
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5
-
Size
170KB
-
Sample
220220-jtvvrsbdar
-
MD5
08fda98dfedd3e304a7128e4918fe1bc
-
SHA1
087793d8fdae310ee195f3e4c2d93395318f22a2
-
SHA256
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5
-
SHA512
e39b8cca6edd9540e4259974d9dda28edf14a4de1bc0c1d5f4f8f06bde02c24dfc3e439be606a201946d45446f73eae9b005b0e681f6128d41fe3cd29b947ce4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Targets
-
-
Target
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5
-
Size
170KB
-
MD5
08fda98dfedd3e304a7128e4918fe1bc
-
SHA1
087793d8fdae310ee195f3e4c2d93395318f22a2
-
SHA256
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5
-
SHA512
e39b8cca6edd9540e4259974d9dda28edf14a4de1bc0c1d5f4f8f06bde02c24dfc3e439be606a201946d45446f73eae9b005b0e681f6128d41fe3cd29b947ce4
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-