aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

General
Target

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

Size

808KB

Sample

220306-hmxkcacaaj

Score
10 /10
MD5

50cc057a164640715e70a43979175a3f

SHA1

690d83a764b7f4b65232e25c410c02cc5901ad72

SHA256

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

SHA512

ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Family ryuk
Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> unumschooler1972@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

unumschooler1972@protonmail.com

Extracted

Path C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Family ryuk
Ransom Note
unumschooler1972@protonmail.com balance of shadow universe Ryuk
Emails

unumschooler1972@protonmail.com

Targets
Target

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

MD5

50cc057a164640715e70a43979175a3f

Filesize

808KB

Score
10/10
SHA1

690d83a764b7f4b65232e25c410c02cc5901ad72

SHA256

aced9fc0fe2737e1b1354b27462b7013126a573bf13b7b73fcb9b35a637831b5

SHA512

ea527edb150fd8e582e13597053a0e84604f45265181aa410608161a6e0e8aa0988e9c84735cdda01cdf6bab362a60ef490c233e1c947a15ee7b61cd48d60aa2

Tags

Signatures

  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    Tags

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        10/10

                        behavioral2

                        10/10