Overview

overview

10

Static

static

318963e919...c8.exe

windows7_x64

10

318963e919...c8.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8

  • Size

    146KB

  • Sample

    220220-km19msafc7

  • MD5

    7a848ae6229c0d40c7ebe455ce9dd5f7

  • SHA1

    a3a7647fb25c6c037848546d143b8f968c4c6b82

  • SHA256

    318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8

  • SHA512

    0b7a22354354ecdc53678297bf10e7b721c41c701d21333b65fe063b18879e77d25be3d57f83590f875a513a747ed5f9a1a0f1e72b4119d159896bdec3437a50

Score
10/10
ryukpersistenceransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1Cyh35KqhhDewmXy63yp9ZMqBnAWe4oJRr Ryuk No system is safe
Wallets

1Cyh35KqhhDewmXy63yp9ZMqBnAWe4oJRr

Targets

    • Target

      318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8

    • Size

      146KB

    • MD5

      7a848ae6229c0d40c7ebe455ce9dd5f7

    • SHA1

      a3a7647fb25c6c037848546d143b8f968c4c6b82

    • SHA256

      318963e919790a5ced29f618ad9c1e25ec71c16b11a89674fcf390aa1fb776c8

    • SHA512

      0b7a22354354ecdc53678297bf10e7b721c41c701d21333b65fe063b18879e77d25be3d57f83590f875a513a747ed5f9a1a0f1e72b4119d159896bdec3437a50

    Score
    10/10
    ryukpersistenceransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks