Overview

overview

10

Static

static

aced9fc0fe...b5.exe

windows7_x64

10

aced9fc0fe...b5.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

  • Size

    808KB

  • Sample

    220306-hmxkcacaaj

  • MD5

    50cc057a164640715e70a43979175a3f

  • SHA1

    690d83a764b7f4b65232e25c410c02cc5901ad72

  • SHA256

    aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

  • SHA512

    ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Score
10/10
ryukransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> unumschooler1972@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

unumschooler1972@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
unumschooler1972@protonmail.com balance of shadow universe Ryuk
Emails

unumschooler1972@protonmail.com

Targets

    • Target

      aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

    • Size

      808KB

    • MD5

      50cc057a164640715e70a43979175a3f

    • SHA1

      690d83a764b7f4b65232e25c410c02cc5901ad72

    • SHA256

      aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

    • SHA512

      ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

    Score
    10/10
    ryukransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks