00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

General
Target

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

Size

448KB

Sample

220302-ejrm5scgd9

Score
10 /10
MD5

bf7b854542cfa423dee3b7233c4a255e

SHA1

a9b09989972cc063b34c4afcd82ebe9203d61be2

SHA256

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

SHA512

147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Family ryuk
Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> annuttaver1971@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

annuttaver1971@protonmail.com

Extracted

Path C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
Family ryuk
Ransom Note
annuttaver1971@protonmail.com balance of shadow universe Ryuk
Emails

annuttaver1971@protonmail.com

Targets
Target

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

MD5

bf7b854542cfa423dee3b7233c4a255e

Filesize

448KB

Score
10/10
SHA1

a9b09989972cc063b34c4afcd82ebe9203d61be2

SHA256

00dd4a371156258e4fe3c421c044b0244500df971ae37b8ea6650fd45ad8c9de

SHA512

147205767585c86b29435ca44a605d06208b7e126007fbc3d5a8c1a30896f03c0d832c07608895cd1e14b3966853306ebac1058f02c2e68efc8f89fad938cada

Tags

Signatures

  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10