ryuk

General

Target

9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a
Size

444KB
Sample

220305-sprrzsgeh4
MD5

1fe2b06f573c1809a79c14da0f26f605
SHA1

dc137d2c45d47d62449860f76f57dd85d34d122e
SHA256

9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a
SHA512

10070abdc4320702b3a76b229a41dc2118ec5bc42af488c5db7d3381f43f38b40f47a7b624ac623c0f8da76e5bb6f7922668ae2af6a1af8c464b82836b6c7ca1

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a
- Size
  
  444KB
- MD5
  
  1fe2b06f573c1809a79c14da0f26f605
- SHA1
  
  dc137d2c45d47d62449860f76f57dd85d34d122e
- SHA256
  
  9f8bea9fe7c238d34e4c1e1e47e4d57631b813ab7bfea50db52b229110c6a61a
- SHA512
  
  10070abdc4320702b3a76b229a41dc2118ec5bc42af488c5db7d3381f43f38b40f47a7b624ac623c0f8da76e5bb6f7922668ae2af6a1af8c464b82836b6c7ca1
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2