Overview

overview

10

Static

static

a0dccbe010...10.exe

windows7_x64

10

a0dccbe010...10.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

  • Size

    171KB

  • Sample

    220306-e4js2abgam

  • MD5

    567407d941d99abeff20a1b836570d30

  • SHA1

    e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b

  • SHA256

    a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

  • SHA512

    514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b

Score
10/10
ryukpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at LisaHines@tutanota.com or LisaHines@tutanota.com BTC wallet: 15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4 Ryuk No system is safe
Emails

LisaHines@tutanota.com

Wallets

15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4

Targets

    • Target

      a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

    • Size

      171KB

    • MD5

      567407d941d99abeff20a1b836570d30

    • SHA1

      e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b

    • SHA256

      a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510

    • SHA512

      514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b

    Score
    10/10
    ryukpersistenceransomwarespywarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks