Overview

overview

10

Static

static

320c98a9fd...89.exe

windows10_x64

10

320c98a9fd...89.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

  • Size

    190KB

  • Sample

    220506-scpf4acgak

  • MD5

    ffef678beca8ee60200bc88809d89630

  • SHA1

    b31070af1ac3e088dfc6f1599f8d12edb1b16783

  • SHA256

    320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

  • SHA512

    54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Score
10/10
ryukdiscoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Path

C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Targets

    • Target

      320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

    • Size

      190KB

    • MD5

      ffef678beca8ee60200bc88809d89630

    • SHA1

      b31070af1ac3e088dfc6f1599f8d12edb1b16783

    • SHA256

      320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689

    • SHA512

      54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

    Score
    10/10
    ryukdiscoverypersistenceransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks