ryuk

General

Target

161925cd5323dd58b3dee09c2f89c97c436cfa81c6b740d77d5fce7de0b55777
Size

202KB
Sample

220220-lyck4accfq
MD5

a0b20675907355281f517795ee1ec3dd
SHA1

f5c7ed589e5170191dbd4ea998a14d229bbff51c
SHA256

161925cd5323dd58b3dee09c2f89c97c436cfa81c6b740d77d5fce7de0b55777
SHA512

f85ae1a5332720df6992b327634311cfcf4c60cec392e0ba52f20add9018514670ed1010f08aba61c0aa1abd4009ae218c27fb1248952617a4ec6295836658a4

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> bapuverge1985@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

bapuverge1985@protonmail.com

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

bapuverge1985@protonmail.com balance of shadow universe Ryuk

Emails

bapuverge1985@protonmail.com

Targets

- Target
  
  161925cd5323dd58b3dee09c2f89c97c436cfa81c6b740d77d5fce7de0b55777
- Size
  
  202KB
- MD5
  
  a0b20675907355281f517795ee1ec3dd
- SHA1
  
  f5c7ed589e5170191dbd4ea998a14d229bbff51c
- SHA256
  
  161925cd5323dd58b3dee09c2f89c97c436cfa81c6b740d77d5fce7de0b55777
- SHA512
  
  f85ae1a5332720df6992b327634311cfcf4c60cec392e0ba52f20add9018514670ed1010f08aba61c0aa1abd4009ae218c27fb1248952617a4ec6295836658a4
Score

10^/10

ryuk persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2