ryuk

General

Target

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
Size

448KB
Sample

220302-ejrm5scgd9
MD5

bf7b854542cfa423dee3b7233c4a255e
SHA1

a9b09989972cc063b34c4afcd82ebe9203d61be2
SHA256

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
SHA512

147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> annuttaver1971@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

annuttaver1971@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

Family

ryuk

Ransom Note

annuttaver1971@protonmail.com balance of shadow universe Ryuk

Emails

annuttaver1971@protonmail.com

Targets

- Target
  
  00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
- Size
  
  448KB
- MD5
  
  bf7b854542cfa423dee3b7233c4a255e
- SHA1
  
  a9b09989972cc063b34c4afcd82ebe9203d61be2
- SHA256
  
  00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de
- SHA512
  
  147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2