a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

General
Target

a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

Size

171KB

Sample

220306-e4js2abgam

Score
10 /10
MD5

567407d941d99abeff20a1b836570d30

SHA1

e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b

SHA256

a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

SHA512

514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b

Malware Config

Extracted

Path C:\RyukReadMe.txt
Family ryuk
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at LisaHines@tutanota.com or LisaHines@tutanota.com BTC wallet: 15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4 Ryuk No system is safe
Emails

LisaHines@tutanota.com

Wallets

15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4

Targets
Target

a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

MD5

567407d941d99abeff20a1b836570d30

Filesize

171KB

Score
10/10
SHA1

e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b

SHA256

a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

SHA512

514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b

Tags

Signatures

  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Tasks

              static1

              behavioral2

              7/10